|Applies To||Security enhancements in 18.104.22.168 Service Pack 2 included a change to the way the challenge failure count was calculated. Prior to SP2 if a user was presented with a challenge question but did not attempt to answer the question there would be no adverse consequences. Form Sp2 onwards if a user is presented with a challenge question (AAOP Challenge API called) and no attempt to answer the question is received (AAOP Authenticate call with the same sessionID as the challenge call) during the session lifetime the expired session will be counted as a failed challenge attempt and the challenge failure count will be incremented.|
This change was made to increase the security provided by the AAOP system and RSA believe that the change is in the best interests of our customers and would recommend that all our customers use this new feature. However the change was not adequately documented in the SP2 release notes and several customers have reported a significant increase in user lockout rates following the implementation of SP2 or SP3 so RSA will be providing the ability to disable this feature in a feature release.
|Issue||The number of users being locked out by Adaptive Authentication On-Premise has increased since installing version 22.214.171.124 SP2 or SP3.|
|Resolution||A permanent solution to this problem will be included in the 126.96.36.199 SP3 P2 release which is planned for GA in April 2012 however as an interim workaround the database trigger below can be used to prevent the failure count from being incremented when a session expires.|
IMPORTANT NOTE: The following is a short term workaround intended to provide immediate relief while a permanent solution is being developed. It is not intended to be used long term and RSA will cease support for this workaround once the permanent solution is available. Customers whose chose to implement this workaround assume the responsibility for removing the workaround before performing any upgrade to their AAOP system.
For Oracle Systems:
In SQL*Plus connect as the Core schema owner and execute the following:
CREATE OR REPLACE TRIGGER resetSessionChallengeCounter
BEFORE INSERT OR UPDATE
FOR EACH ROW
:new.challenge_count := 0;
To remove the workaround use the following command:
DROP TRIGGER resetSessionChallengeCounter;
|Legacy Article ID||a57453|