000015261 - Abandonded Sessions cause lockouts

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015261
Applies ToSecurity enhancements in Service Pack 2 included a change to the way the challenge failure count was calculated. Prior to SP2 if a user was presented with a challenge question but did not attempt to answer the question there would be no adverse consequences. Form Sp2 onwards if a user is presented with a challenge question (AAOP Challenge API called) and no attempt to answer the question is received (AAOP Authenticate call with the same sessionID as the challenge call) during the session lifetime the expired session will be counted as a failed challenge attempt and the challenge failure count will be incremented.

This change was made to increase the security provided by the AAOP system and RSA believe that the change is in the best interests of our customers and would recommend that all our customers use this new feature. However the change was not adequately documented in the SP2 release notes and several customers have reported a significant increase in user lockout rates following the implementation of SP2 or SP3 so RSA will be providing the ability to disable this feature in a feature release.
IssueThe number of users being locked out by Adaptive Authentication On-Premise has increased since installing version SP2 or SP3.
ResolutionA permanent solution to this problem will be included in the SP3 P2 release which is planned for GA in April 2012 however as an interim workaround the database trigger below can be used to prevent the failure count from being incremented when a session expires.

IMPORTANT NOTE: The following is a short term workaround intended to provide immediate relief while a permanent solution is being developed. It is not intended to be used long term and RSA will cease support for this workaround once the permanent solution is available. Customers whose chose to implement this workaround assume the responsibility for removing the workaround before performing any upgrade to their AAOP system.

For Oracle Systems:

In SQL*Plus connect as the Core schema owner and execute the following:

CREATE OR REPLACE TRIGGER resetSessionChallengeCounter
  :new.challenge_count := 0;

To remove the workaround use the following command:

DROP TRIGGER  resetSessionChallengeCounter;
Legacy Article IDa57453