A lockout policy defines how many failed logon attempts users can make before Authentication Manager locks their account, and how the account can be unlocked: either automatically or by administrator intervention. You assign lockout policies to security domains. This policy applies to all users assigned to that security domain.
When you set up Authentication Manager, a default lockout policy is automatically created. The default lockout policy locks the user out after five consecutive unsuccessful authentication attempts within one day and requires administrator intervention to unlock a user account. You can edit this policy, or create a custom lockout policy and designate it as the default. You can also assign custom policies to individual security domains
Lockout policies assigned to upper-level security domains are not inherited by lower-level security domains. For example, if you assign a custom policy to the top-level security domain, all new security domains that you create below it in the hierarchy still use the default lockout policy.
Lockout policies apply to all logon attempts regardless of how many different authentication methods a user uses to authenticate. The methods include tokens, fixed passcodes, password-based authentication to the Security Console or Self-Service Console, on-demand tokencodes, and risk-based authentication. For example, if a user has two failures with a software token and one failure with a hardware token, that counts as three failed attempts.