Authentication Method Lockout

Learn about:

• Configuring Lockout for Authentication Methods

• Lockout Behavior When a User Has Multiple OTPs

• Unlocking Authentication Methods

• Lockout for Other Authentication Methods

Configuring Lockout for Authentication Methods

This information applies to Authenticate OTP, RSA hardware authenticators (managed in Cloud Access Service (CAS)), SMS OTP, Voice OTP, Emergency Access Code, Approve, and Device Biometrics.

Note:  Authentication Manager controls lockout settings for SecurID OTPs that are validated and managed in AM.

You can configure the number of times users can retry each authentication method after the first unsuccessful authentication. After this many retries, the authentication method is locked. Each method is counted and locked separately.

For example, if you specify 3, Authenticate OTP is locked after 3 unsuccessful attempts. The same applies to SMS OTP, Voice OTP, Emergency Access Code (for online access only), RSA hardware authenticators, Approve, and Device Biometrics, with each counted and locked separately.

To configure lockout for these authentication methods, see Configure Session and Authentication Method Settings.

Lockout Behavior When a User Has Multiple OTPs

A user may have one or more hardware or software OTPs that are assigned in Authentication Manager and an additional OTP that is registered in CAS. If AM server is connected to CAS and the user mistypes an OTP of either type, CAS does not know where the OTP credential originated. In this case, expect the following behavior:

• The authentication failure automatically counts against the user's cloud-managed lockout. The same mistake may also count as a failure against the user's tokens in AM, depending on how the lockout policy is configured in AM.

  For example, suppose a user is assigned Authenticator A in AM and registers Authenticator B with CAS. The user mistypes the OTP for Authenticator A and fails authentication. The lockout counter for Authenticator B is incremented by 1. The lockout policy in AM determines if the failure counts against lockout in AM.

• If the connection between CAS and AM server is down and the user persistently tries and fails to authenticate with a token that was assigned in AM, the failures count against the Cloud lockout counter.

• If a cloud user receives a hardware authenticator but does not register it with CAS, authentication failures do not count against lockout. The OTP must be registered with CAS.

Unlocking Authentication Methods

You unlock all authentication methods for a user simultaneously on the Users > Management page.

When you click Unlock, the lockout counter for all authentication methods is cleared, even if the method was not locked. After a user successfully authenticates, the lockout counter for only that method is cleared.

Internally, CAS maintains a counter to track how many times a user has failed authentication with a given method. When the counter exceeds the threshold defined in My Account > Company Settings, the user cannot authenticate until he is unlocked.

Emergency Access Code cannot be manually unlocked. You must generate a new Emergency Access Code to give the user emergency access.

You can also configure settings to automatically unlock an authentication method after the lockout duration has expired. For more information, see Configure Session and Authentication Method Settings.

Lockout for Other Authentication Methods

The following table describes lockout for additional authentication methods.