Lockout Policy

A lockout policy defines how many failed logon attempts users can make before Authentication Manager locks their account, and how the account can be unlocked: either automatically or by administrator intervention. You assign lockout policies to security domains. This policy applies to all users assigned to that security domain.

When you set up Authentication Manager, a default lockout policy is automatically created. The default lockout policy locks the user out after five consecutive unsuccessful authentication attempts within one day and requires administrator intervention to unlock a user account. You can edit this policy, or create a custom lockout policy and designate it as the default. You can also assign custom policies to individual security domains

Lockout policies assigned to upper-level security domains are not inherited by lower-level security domains. For example, if you assign a custom policy to the top-level security domain, all new security domains that you create below it in the hierarchy still use the default lockout policy.

Lockout policies apply to all logon attempts regardless of how many different authentication methods a user uses to authenticate. The methods include tokens, fixed passcodes, password-based authentication to the Security Console or Self-Service Console, on-demand tokencodes, and risk-based authentication. For example, if a user has two failures with a software token and one failure with a hardware token, that counts as three failed attempts.

Add a Lockout Policy

A lockout policy determines how the system locks or unlocks users after a predetermined number of consecutive unsuccessful authentication attempts. You can assign lockout policies to security domains.

In a replicated deployment, changes to policies might not be immediately visible on a replica instance. This delay is due to the fact that policy data is cached for 10 minutes. For instructions on minimizing the delay so that changes take effect sooner on a replica instance, see Flush the Cache.

Procedure

  1. In the Security Console, click Authentication > Policies > Lockout Policies > Add New.

  2. In the Lockout Policy Name field, enter a unique name for the new lockout policy. Do not exceed 128 characters.

  3. (Optional) To make this the default policy for all new security domains, and for any existing security domains already assigned the default policy, select Default Policy.

  4. In the Lock User Accounts field, specify whether you want to allow users unlimited failed authentications, or limit the number of failed authentications allowed before they are locked out. By default, the system locks accounts after five consecutive authentication attempts fail within one day.

  5. To limit the number of failed authentications, use the Unlock field to specify that you want the system to automatically unlock users after a specified amount of time, or that locked out users must be unlocked by an administrator. The default is Administrators unlock user accounts.

  6. Click Save.

Manage a Lockout Policy

You can edit, delete, or duplicate a lockout policy.

Procedure

  1. In the Security Console, click Authentication > Policies > Lockout Policies > Manage Existing.

  2. Do the following:

    Task Description Procedure
    Edit a lockout policy You can change information such as the lockout policy name and the number of failed logon attempts users are allowed to have before they are locked out.

    1. Click the policy that you want to edit, and select Edit.

    2. Make any necessary changes to the lockout policy.

    3. Click Save.

      If you have not saved your changes, you can click Reset to restore the password policy to its original state.
    Delete a lockout policy

    When you delete a lockout policy, the policy is removed from the deployment and can no longer be assigned.

    Each security domain must have a lockout policy. If you delete a lockout policy that is assigned to a security domain, the default lockout policy is automatically assigned to the security domain.

    1. Click the lockout policy that you want to delete, and select Delete.

    2. Click OK.
    Duplicate a lockout policy

    When you duplicate a lockout policy, you create a lockout policy that is identical to the original. The new lockout policy is not assigned to any security domain until you manually assign it.

    1. Click the policy that you want to duplicate, and select Duplicate.

    2. In the Lockout Policy Name field, enter a name for the new lockout policy, and make any other necessary changes to the new lockout policy.

    3. Click Save.