Authentication Method Lockout

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by Andrea Taylor on Nov 17, 2017
Version 20Show Document
  • View in full screen mode

  

The following table provides lockout information for RSA SecurID Access authentication methods.

                                       
Authentication MethodLockout Information

Authenticate Tokencode

SMS Tokencode

Voice Tokencode

You can configure the number of times users can retry each tokencode method after the first unsuccessful authentication. After this many retries, the tokencode is locked. Each method is locked separately. For example, if you allow three retries, the Authenticate Tokencode is locked after four unsuccessful attempts, the SMS Tokencode is locked after four unsuccessful attempts, and the Voice Tokencode is locked after four unsuccessful attempts. Resending the SMS Tokencode or Voice Tokencode counts as a retry, even if the user did not attempt authentication. During lockout, the method cannot be used. The user's Cloud Authentication Service account is not locked or disabled.

A Super Admin or Help Desk Administrator must unlock the method on the Users > Management page. All tokencode methods are unlocked simultaneously and the lockout counter is cleared, even if the method was not locked. The lockout counter is also cleared for all tokencode methods after the user successfully authenticates.

To configure lockout, see Configure Session and Authentication Method Settings.

LDAP Directory PasswordYou can configure the number of unsuccessful attempts before the Cloud Authentication Service locks this method. During lockout, the Cloud Authentication Service ignores a user's password attempts until the lockout duration expires. To configure lockout, see Configure Session and Authentication Method Settings.
RSA SecurID TokenRSA Authentication Manager controls lockout for this method.

Device Biometrics

The iOS and Android operating systems can lock fingerprint verification on the user's mobile device.

FIDO TokenCannot be locked. You can delete a user's FIDO Token from RSA SecurID Access, forcing the user to re-register the token the next time it is used.
Eyeprint IDCannot be locked. After three unsuccessful authentication attempts, the user must restart the authentication process.
ApproveCannot be locked. After 60 seconds, the user must restart the authentication process.

 

 

 

 

 

You are here

Table of Contents > Authentication Methods > Authentication Method Lockout

Attachments

    Outcomes