SecureID phone app - locked account notification
Is there a way to notify a user their account status is locked via the secureid app? SecureID is the second highest volume of service desk calls we get and it’s because the user doesn’t realize they are entering a bad pin in the app.
As far as i know, this feature is the most needed feature and its not available with the AM nor the cloud authentication service, the best approach is to push the syslogs to your SIEM or syslog server which in its order can notify if any user got locked.
Cwc2, based on what you describe, you're using AM-based credentials, not CAS credentials, correct?
There's no communication channel between our software authenticator and AM, (AM doesn't know which authenticator device is used by which user) so AM can't then notify user of a particular device, about an event like account being locked..
There's also no way for the authenticator app to inform the user he is entering an incorrect PIN, as the pin itself is not known by the authenticator, it is only known by the user, and by the Authentication Manager.
We don't want to disclose the exact reason for authentication failure as this can be beneficial to a threat actor. That said, our on-prem Authentication Manager and Cloud Authentication Service support account/authenticator auto-unlock which may be helpful in his case. The idea behind auto-unlock is to discourage a threat actor from continuing to attempt to exploit said user/account, but not lock out the actual user. Typically, we see auto-unlock configured to 15-30 minutes and some instruction to users to try again in 15-30 if you are unable to authenticate.
Authentication Manager Lockout Policy:
Cloud Authentication Service Authenticator Settings:
Lastly, we do offer a secure single pane of glass self-service platform called SecurID Access Prime, which bolts onto Authentication Manager and the Cloud Authentication Service (hybrid deployment). SecurID Access Prime self-service, upon successful strong authentication (2FA/MFA), is able to automatically unlock a user's RSA and/or directory account in real-time. Prime also streamlines many other areas of user/authenticator lifecycle management.