A lockout policy defines how many failed logon attempts users can make before Authentication Manager locks their account, and how the account can be unlocked: either automatically or by administrator intervention. You assign lockout policies to security domains. This policy applies to all users assigned to that security domain.
When you set up Authentication Manager, a default lockout policy is automatically created. The default lockout policy locks the user out after five consecutive unsuccessful authentication attempts within one day and requires administrator intervention to unlock a user account.You can edit this policy, or create a custom lockout policy and designate it as the default. You can also assigncustom policies to individual security domains
Lockout policies assigned to upper-level security domains are not inherited by lower-level security domains. For example, if you assign a custom policy to the top-level security domain, all new security domains that you create below it in the hierarchy still use the default lockout policy.
Lockout policies apply to all logon attempts regardless of how many different authentication methods a user uses to authenticate. The methods include tokens, fixed passcodes, password-based authentication to the Security Console or Self-Service Console, on-demand tokencodes, and risk-based authentication. For example, if a user has two failures with a software token and one failure with a hardware token, that counts as three failed attempts.
A lockout policy determines how the system locks or unlocks users after a predetermined number of consecutive unsuccessful authentication attempts. You can assign lockout policies to security domains.
In a replicated deployment, changes to policies might not be immediately visible on a replica instance. This delay is due to the fact that policy data is cached for 10 minutes. For instructions on minimizing the delay so that changes take effect sooner on a replica instance, see Flush the Cache.
In the Security Console, click Authentication > Policies > Lockout Policies > Add New.
In the Lockout Policy Name field, enter a unique name for the new lockout policy. Do not exceed 128 characters.
(Optional) To make this the default policy for all new security domains, and for any existing security domains already assigned the default policy, select Default Policy.
In the Lock User Accounts field, specify whether you want to allow users unlimited failed authentications, or limit the number of failed authentications allowed before they are locked out. By default, the system locks accounts after five consecutive authentication attempts fail within one day.
To limit the number of failed authentications, use the Unlock field to specify that you want the system to automatically unlock users after a specified amount of time, or that locked out users must be unlocked by an administrator. The default is Administrators unlock user accounts.