Authentication Method Lockout

Learn about:

Configuring Lockout for Tokencodes

This information applies to SecurID Authenticate Tokencode, SecurID hardware token (managed in the Cloud Authentication Service), SMS Tokencode, Voice Tokencode, and Emergency Tokencode.

Note: SecurID Authentication Manager controls lockout settings for SecurID Tokens that are validated and managed in Authentication Manager.

You can configure the number of times users can retry each tokencode method after the first unsuccessful authentication. After this many retries, the tokencode is locked. Each method is counted and locked separately.

For example, if you specify 3, Authenticate Tokencode is locked after 4 unsuccessful attempts. The same applies to SMS Tokencode, Voice Tokencode, Emergency Tokencode (for online access only), and SecurID hardware token, with each counted and locked separately. In all cases, the fourth attempt fails even if the user enters the correct tokencode.

To configure lockout for tokencodes, see Configure Session and Authentication Method Settings.

Lockout Behavior When a User Has Multiple SecurID Tokens

A user may have one or more SecurID Tokens (hardware or software) that are assigned in SecurID Authentication Manager and an additional token that is registered in the Cloud Authentication Service. If the Authentication Manager server is connected to the Cloud Authentication Service and the user mistypes a tokencode of either type, the Cloud Authentication Service does not know where the token originated. In this case, expect the following behavior:

  • The authentication failure automatically counts against the user's cloud-managed lockout. The same mistake may also count as a failure against the user's tokens in Authentication Manager, depending on how the lockout policy is configured in Authentication Manager.

    For example, suppose a user is assigned Token A in Authentication Manager and registers Token B with the Cloud Authentication Service. The user mistypes the tokencode for Token A and fails authentication. The lockout counter for Token B is incremented by 1. The lockout policy in Authentication Manager determines if the failure counts against lockout in Authentication Manager.

  • If the connection between the Cloud Authentication Service and the Authentication Manager server is down and the user persistently tries and fails to authenticate with a token that was assigned in Authentication Manager, the failures count against the Cloud lockout counter.

  • If a cloud user receives a hardware token but does not register it with the Cloud Authentication Service, authentication failures do not count against lockout. The token must be registered with the Cloud Authentication Service.

Unlocking Tokencodes

You unlock the Authenticate Tokencode, SecurID hardware token (Cloud-managed), SMS Tokencode, and Voice Tokencode simultaneously on the Users > Management page. For instructions, see Manage Users for the Cloud Authentication Service .

When you click Unlock, the lockout counter for all four tokencodes is cleared, even if the method was not locked. After a user successfully authenticates, the lockout counter for only that tokencode is cleared.

Internally, the Cloud Authentication Service maintains a counter to track how many times a user has failed authentication with a given method. When the counter exceeds the threshold defined in My Account > Company Settings, the user cannot authenticate until he is unlocked.

Emergency Tokencode cannot be manually unlocked. You must generate a new Emergency Tokencode to give the user emergency access.

Lockout for Other Authentication Methods

The following table describes lockout for additional authentication methods.

Authentication Method Lockout Information
LDAP Directory Password You can configure the number of unsuccessful attempts before the Cloud Authentication Service locks this method. During lockout, the Cloud Authentication Service ignores a user's password attempts until the lockout duration expires. To configure lockout, see Configure Session and Authentication Method Settings.
Device Biometrics

The iOS and Android operating systems can lock Device Biometrics on the user's mobile device.

FIDO Cannot be locked. You can delete a user's FIDO authenticator from SecurID, forcing the user to re-register the token the next time it is used.
Approve Cannot be locked. After 60 seconds, the user must restart the authentication process.