- Cloud Access Service (CAS)
- Authentication Manager (AM)
- Unified OTP Authentication
- REST API–based authentication flow
In Unified OTP authentication flows that use REST API integration, a known behavior may cause a single failed login attempt to be counted more than once. This can lead to unexpected user lockouts when low lockout thresholds are configured.
This article explains the issue and provides a recommended configuration workaround until a permanent solution is available.
When Unified OTP authentication is implemented using the REST API flow, an authentication loop may occur between system components:
CAS > AM > CAS
Due to this loop, a single failed authentication attempt can be processed multiple times, resulting in duplicate failure counts.
In TCP Agent–based integrations, existing configuration controls can be used to prevent duplicate counting.
Impact
- A single failed login attempt may be recorded twice.
- Account lockout thresholds may be reached earlier than expected.
- Users may experience unexpected or premature lockouts.
Affected Environments
- Unified OTP flows using REST API integration
- Environments that have migrated from TCP Agent to REST API–based authentication
Due to the authentication loop (CAS > AM >CAS), a single failed authentication attempt is counted twice.
To avoid unintended lockouts caused by duplicate failure counting, adjust the account lockout threshold to allow for the additional failure count.
Recommendation
If Failures Allowed Before Lockout is set to 2 or less, increase the value to more than 2.
This ensures that users are not locked out due to duplicate processing of a single failed authentication attempt.
Configuration Steps
- Sign in to the Cloud Administration Console.
- Navigate to My Account > Company Settings > Sessions & Authentication.
- Locate Failures Allowed Before Lockout.
- Set the value to more than 2 if it is currently 2 or less.
- Save the changes.
Limitations
This workaround applies only to REST API–based Unified OTP flows.
There is currently no REST API–specific configuration option to suppress duplicate failure counting.
This configuration change does not remove the duplicate counting behavior; it mitigates its impact.
Status
This is a known limitation in REST API–based Unified OTP authentication flows. A permanent fix may be introduced in a future release.
Additional Information
If users continue to experience unexpected lockouts after applying this workaround, contact Support with account logs and authentication timestamps for further analysis.
Related Articles
RSA GPLv3 Open-Source License Information Number of Views Upload OATH HOTP OTP Seed File fails with Admin Event "Authenticator(s) with serial number - [xxxxx] were not imported be… Number of Views After applying the 2950 Platform Update - DSM - DUP BiosVerifySrv doesn't start Number of Views Web Services Change Requests do not display usernames of duplicate accounts in RSA Identity Governance & Lifecycle Number of Views IDR SSO - Step 9: Protect a Resource Number of Views
Trending Articles
RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide How to download and install the AFX Server Archive in RSA Identity Governance & Lifecycle The Template ({Connector Template Name}) has missing file content error when creating AFX Connectors in RSA Identity Gover… Downloading RSA Authentication Manager license files or RSA Software token seed records Troubleshooting RSA MFA Agent for Microsoft Windows
