Authentication Method Lockout

Document created by RSA Information Design and Development Employee on Jul 14, 2016Last modified by RSA Information Design and Development Employee on Oct 20, 2020
Version 54Show Document
  • View in full screen mode
  

The following table provides lockout information for RSA SecurID Access authentication methods.

                                   
Authentication MethodLockout Information

Authenticate Tokencode

SMS Tokencode

Voice Tokencode

Emergency Tokencode (online access only)

You can configure the number of times users can retry each tokencode method after the first unsuccessful authentication. After this many retries, the tokencode is locked. Each method is counted and locked separately.

For example, if you allow three retries, the Authenticate Tokencode is locked after three unsuccessful Authenticate Tokencode attempts, SMS Tokencode is locked after three unsuccessful SMS Tokencode attempts, Voice Tokencode is locked after three unsuccessful Voice Tokencode attempts, and Emergency Tokencode is locked after three unsuccessful Emergency Tokencode attempts. In all cases, the fourth attempt fails even if the user enters the correct tokencode.

Resending the SMS Tokencode or Voice Tokencode counts as a retry, even if the user did not attempt authentication. During lockout, the method cannot be used. The user's Cloud Authentication Service account is not locked or disabled.

You unlock the Authenticate Tokencode, SMS Tokencode, and Voice Tokencode simultaneously on the Users > Management page. For instructions, see Manage Users for the Cloud Authentication Service . The lockout counter for all three tokencodes is then cleared, even if the method was not locked. The lockout counter is also cleared after the user successfully authenticates.

Emergency Tokencode cannot be manually unlocked. You must generate a new Emergency Tokencode to give the user emergency access.

Note:  Emergency Tokencode can be locked for online access only. The offline Emergency Tokencode cannot be locked.

To configure lockout, see Configure Session and Authentication Method Settings.

LDAP Directory PasswordYou can configure the number of unsuccessful attempts before the Cloud Authentication Service locks this method. During lockout, the Cloud Authentication Service ignores a user's password attempts until the lockout duration expires. To configure lockout, see Configure Session and Authentication Method Settings.
RSA SecurID TokenRSA Authentication Manager controls lockout for this method.

Device Biometrics

The iOS and Android operating systems can lock Device Biometrics on the user's mobile device.

FIDOCannot be locked. You can delete a user's FIDO authenticator from RSA SecurID Access, forcing the user to re-register the token the next time it is used.
ApproveCannot be locked. After 60 seconds, the user must restart the authentication process.

 

 

 

You are here
Table of Contents > Authentication Methods and Emergency Access > Authentication Method Lockout

Attachments

    Outcomes