- Cloud Access Service (CAS)
- Authentication Manager (AM)
- Unified OTP Authentication
- REST API–based authentication flow
In Unified OTP authentication flows that use REST API integration, a known behavior may cause a single failed login attempt to be counted more than once. This can lead to unexpected user lockouts when low lockout thresholds are configured.
This article explains the issue and provides a recommended configuration workaround until a permanent solution is available.
When Unified OTP authentication is implemented using the REST API flow, an authentication loop may occur between system components:
CAS > AM > CAS
Due to this loop, a single failed authentication attempt can be processed multiple times, resulting in duplicate failure counts.
In TCP Agent–based integrations, existing configuration controls can be used to prevent duplicate counting.
Impact
- A single failed login attempt may be recorded twice.
- Account lockout thresholds may be reached earlier than expected.
- Users may experience unexpected or premature lockouts.
Affected Environments
- Unified OTP flows using REST API integration
- Environments that have migrated from TCP Agent to REST API–based authentication
Due to the authentication loop (CAS > AM >CAS), a single failed authentication attempt is counted twice.
To avoid unintended lockouts caused by duplicate failure counting, adjust the account lockout threshold to allow for the additional failure count.
Recommendation
If Failures Allowed Before Lockout is set to 2 or less, increase the value to more than 2.
This ensures that users are not locked out due to duplicate processing of a single failed authentication attempt.
Configuration Steps
- Sign in to the Cloud Administration Console.
- Navigate to My Account > Company Settings > Sessions & Authentication.
- Locate Failures Allowed Before Lockout.
- Set the value to more than 2 if it is currently 2 or less.
- Save the changes.
Limitations
This workaround applies only to REST API–based Unified OTP flows.
There is currently no REST API–specific configuration option to suppress duplicate failure counting.
This configuration change does not remove the duplicate counting behavior; it mitigates its impact.
Status
This is a known limitation in REST API–based Unified OTP authentication flows. A permanent fix may be introduced in a future release.
Additional Information
If users continue to experience unexpected lockouts after applying this workaround, contact Support with account logs and authentication timestamps for further analysis.
Related Articles
Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU Number of Views VMWare Unified Access Gateway (UAG) Integration Guide with the Authentication Manager using REST API Number of Views Integration of Dell EMC Data Domain with RSA Authentication Manager REST API Number of Views Download RSA SecurID Access Cloud Administration audit logs using Cloud Administration REST API CLU Number of Views MFA Agent Lookup REST API Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) RSA-2022-12: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities
