Is there a way to automatically clear "incorrect passcodes". For example, we can set the accounts to unlock automatically after preset time. But even after account gets unlocked, incorrect passcode attempts will not be cleared. Is there a way to automatically clear incorrect passcode attempts?
There is no 'automatic' way, except: the next successful authentication with any token will reset the counter to zero.
NOTE: There a difference between successful login with tokens vs a fixed passcode.
there are two counters inside the database.
fail_password_count for fixed passcodes,
and
bad_token_code_count is for tokens
If you fail an authentication all counters will increment by 1 unless you only have a fixed passcode, or just tokens, in which case it increments the appropriate counter. The one counter you see in the Security Console is the high number of any of these counters.
If you use a successful fixed passcode login, it will only reset the failed password counter for the fixed passcode, but will keep the failed passcode counter at whatever value for the tokens. Only a successful token logon clears all counters both tokens and fixed passcodes.
Clearing in the Security Console clears them all.
The only automatic is for Lock Out unlock, instead of by Admin you can set timer, but this is only for AM, not for AD
keep in mind it could be more easily managed to not have lockout affect AM, just AD, in the External Identity Source Map, enable state.
In effect you let AD control whether or not an account is locked/disabled, and AD can be set to unlock/enable after some amount of time. Also, the default AM Next Token Code, NTC setting is in my opinion too low, 3 strikes and you are in NTC, most people do that every day before they've had their coffee. I recommend 5 at least,
or unlimited if you never want help desk calls for NTC. This is not un-secure, it just places the protection at Lock Out instead of NTC, and lock out unlock/enable can be time set.
You can still get NTC even with "allow unlimited" set if the token time drifts. No way to turn that off that I know of. Keep those phones set to Network Time folks!
While both the AM server and software token or hardware each have time set, the AM server's time is always assumed to be correct even when it is not.
From Support we tend to see phones as pretty reliable and accurate for time, since they get time from Cell Towers, and only in rare instances usually involving travel to foreign countries do we once in a great while see smart phone time issues. Windows desktop software tokens time is only as good as the Windows desktop, which might be very accurate or terrible depending on where time is obtained from. One situation we see occasionally is with windows laptops that get time from a Domain Controller instead of an NTP server. When the user is away from the Corporate network the laptop cannot reach a Domain Controller and time could drift. This could become especially problematic when user is trying to authenticate offline, against local offline day files.
There is no 'automatic' way, except: the next successful authentication with any token will reset the counter to zero.
NOTE: There a difference between successful login with tokens vs a fixed passcode.
there are two counters inside the database.
fail_password_count for fixed passcodes,
and
bad_token_code_count is for tokens
If you fail an authentication all counters will increment by 1 unless you only have a fixed passcode, or just tokens, in which case it increments the appropriate counter. The one counter you see in the Security Console is the high number of any of these counters.
If you use a successful fixed passcode login, it will only reset the failed password counter for the fixed passcode, but will keep the failed passcode counter at whatever value for the tokens. Only a successful token logon clears all counters both tokens and fixed passcodes.
Clearing in the Security Console clears them all.