Authentication Method Lockout

Learn about:

Configuring Lockout for Authentication Methods

This information applies to Authenticate OTP, RSA hardware authenticators (managed in the Cloud Authentication Service), SMS OTP, Voice OTP, Emergency Access Code, Approve, and Device Biometrics.

Note: Authentication Manager controls lockout settings for SecurID OTPs that are validated and managed in Authentication Manager.

You can configure the number of times users can retry each authentication method after the first unsuccessful authentication. After this many retries, the authentication method is locked. Each method is counted and locked separately.

For example, if you specify 3, Authenticate OTP is locked after 3 unsuccessful attempts. The same applies to SMS OTP, Voice OTP, Emergency Access Code (for online access only), RSA hardware authenticators, Approve, and Device Biometrics, with each counted and locked separately.

To configure lockout for these authentication methods, see Configure Session and Authentication Method Settings.

Lockout Behavior When a User Has Multiple OTPs

A user may have one or more hardware or software OTPs that are assigned in Authentication Manager and an additional OTP that is registered in the Cloud Authentication Service. If the Authentication Manager server is connected to the Cloud Authentication Service and the user mistypes an OTP of either type, the Cloud Authentication Service does not know where the OTP credential originated. In this case, expect the following behavior:

  • The authentication failure automatically counts against the user's cloud-managed lockout. The same mistake may also count as a failure against the user's tokens in Authentication Manager, depending on how the lockout policy is configured in Authentication Manager.

    For example, suppose a user is assigned Authenticator A in Authentication Manager and registers Authenticator B with the Cloud Authentication Service. The user mistypes the OTP for Authenticator A and fails authentication. The lockout counter for Authenticator B is incremented by 1. The lockout policy in Authentication Manager determines if the failure counts against lockout in Authentication Manager.

  • If the connection between the Cloud Authentication Service and the Authentication Manager server is down and the user persistently tries and fails to authenticate with a token that was assigned in Authentication Manager, the failures count against the Cloud lockout counter.

  • If a cloud user receives a hardware authenticator but does not register it with the Cloud Authentication Service, authentication failures do not count against lockout. The OTP must be registered with the Cloud Authentication Service.

Unlocking Authentication Methods

You unlock all authentication methods simultaneously on the Users > Management page. For instructions, see Manage Users for the Cloud Authentication Service .

When you click Unlock, the lockout counter for all authentication methods is cleared, even if the method was not locked. After a user successfully authenticates, the lockout counter for only that method is cleared.

Internally, the Cloud Authentication Service maintains a counter to track how many times a user has failed authentication with a given method. When the counter exceeds the threshold defined in My Account > Company Settings, the user cannot authenticate until he is unlocked.

Emergency Access Code cannot be manually unlocked. You must generate a new Emergency Access Code to give the user emergency access.

You can also configure settings to automatically unlock an authentication method after the lockout duration has expired. For more information, see Configure Session and Authentication Method Settings.

Lockout for Other Authentication Methods

The following table describes lockout for additional authentication methods.

Authentication Method Lockout Information
LDAP Directory Password You can configure the number of unsuccessful attempts before the Cloud Authentication Service locks this method. During lockout, the Cloud Authentication Service ignores a user's password attempts until the lockout duration expires. To configure lockout, see Configure Session and Authentication Method Settings.
FIDO Cannot be locked. You can delete a user's FIDO authenticator from RSA, forcing the user to re-register the token the next time it is used.