Authentication Method Lockout

Learn about:

Configuring Lockout for OTPs

This information applies to SecurID Authenticate OTP, SecurID hardware authenticator (managed in the Cloud Authentication Service), SMS OTP, Voice OTP, and Emergency Access Code.

Note: Authentication Manager controls lockout settings for SecurID OTPs that are validated and managed in Authentication Manager.

You can configure the number of times users can retry each OTP method after the first unsuccessful authentication. After this many retries, the OTP is locked. Each method is counted and locked separately.

For example, if you specify 3, Authenticate OTP is locked after 4 unsuccessful attempts. The same applies to SMS OTP, Voice OTP, Emergency Access Code (for online access only), and SecurID hardware authenticator, with each counted and locked separately. In all cases, the fourth attempt fails even if the user enters the correct OTP.

To configure lockout for OTPs, see Configure Session and Authentication Method Settings.

Lockout Behavior When a User Has Multiple SecurID OTPs

A user may have one or more SecurID OTPs (hardware or software) that are assigned in Authentication Manager and an additional OTP that is registered in the Cloud Authentication Service. If the Authentication Manager server is connected to the Cloud Authentication Service and the user mistypes a SecurID OTP of either type, the Cloud Authentication Service does not know where the token originated. In this case, expect the following behavior:

  • The authentication failure automatically counts against the user's cloud-managed lockout. The same mistake may also count as a failure against the user's tokens in Authentication Manager, depending on how the lockout policy is configured in Authentication Manager.

    For example, suppose a user is assigned Authenticator A in Authentication Manager and registers Authenticator B with the Cloud Authentication Service. The user mistypes the OTP for Authenticator A and fails authentication. The lockout counter for Authenticator B is incremented by 1. The lockout policy in Authentication Manager determines if the failure counts against lockout in Authentication Manager.

  • If the connection between the Cloud Authentication Service and the Authentication Manager server is down and the user persistently tries and fails to authenticate with a token that was assigned in Authentication Manager, the failures count against the Cloud lockout counter.

  • If a cloud user receives a hardware authenticator but does not register it with the Cloud Authentication Service, authentication failures do not count against lockout. The OTP must be registered with the Cloud Authentication Service.

Unlocking OTPs

You unlock the Authenticate OTP, SecurID hardware authenticator (Cloud-managed), SMS OTP, and Voice OTP simultaneously on the Users > Management page. For instructions, see Manage Users for the Cloud Authentication Service .

When you click Unlock, the lockout counter for all four OTPs is cleared, even if the method was not locked. After a user successfully authenticates, the lockout counter for only that OTP is cleared.

Internally, the Cloud Authentication Service maintains a counter to track how many times a user has failed authentication with a given method. When the counter exceeds the threshold defined in My Account > Company Settings, the user cannot authenticate until he is unlocked.

Emergency Access Code cannot be manually unlocked. You must generate a new Emergency Access Code to give the user emergency access.

You can also configure to automatically unlock the OTP method after the lockout duration has expired. For more information, see Configure Session and Authentication Method Settings.

Lockout for Other Authentication Methods

The following table describes lockout for additional authentication methods.

Authentication Method Lockout Information
LDAP Directory Password You can configure the number of unsuccessful attempts before the Cloud Authentication Service locks this method. During lockout, the Cloud Authentication Service ignores a user's password attempts until the lockout duration expires. To configure lockout, see Configure Session and Authentication Method Settings.
Device Biometrics

The iOS and Android operating systems can lock Device Biometrics on the user's mobile device.

FIDO Cannot be locked. You can delete a user's FIDO authenticator from SecurID, forcing the user to re-register the token the next time it is used.
Approve Cannot be locked. After 60 seconds, the user must restart the authentication process.