Configuring Account Lockout
Account lockout is a security mechanism that locks a user after repeated failed login attempts. It is used to slow down brute-force attacks as well as to compensate for weak password policies.
Most deployments use the identity store's password policy to control account lockout. If that is not an option to your deployment, configure account lockout in AM as explained in this section.
AM supports two different approaches to account lockout, where AM locks an account after repeated authentication failures; persistent lockout and memory lockout:
Persistent (physical) lockout sets the user account status to
inactive
in the user profile. For persistent lockout, AM tracks failed authentication attempts by writing to the user repository.Persistent account lockout works independently of account lockout mechanisms in the underlying directory server that serves as the user data store.
Memory lockout locks the user account, keeping track of the locked state only in memory, and then unlocking the account after a specified delay. Memory lockout is also released when AM restarts.
Note
Failed login attempts during the transactional authorization flow do not increment account lockout counters. For more information on transactional authorization, see Transactional Authorization.
If login failures are stored in AM's memory, this may result in user accounts not being locked out even after multiple login failures. To avoid this issue, make sure to implement persistent lockout instead.
To configure account lockout, configure the authentication settings for the realm, as follows:
Access the settings in the AM console under Realms > Realm Name > Authentication > Settings > Account Lockout.
Enable lockout by checking Login Failure Lockout Mode, setting the number of attempts, and setting the lockout interval and duration.
You can also opt to warn users after several consecutive failures, or to multiply the lockout duration on each successive lockout.
(Optional) If you have configured CTS-based or client-based authentication sessions, ensure the Store Invalid Attempts in Data Store switch is enabled. Failure to do so may result in users not being locked out even after multiple login failures.
To save account login failures to the Data Store, enable Store Invalid Attempts in Data Store. This step is necessary when using CTS-based or client-based authentication sessions.
You can set up email notification upon lockout to an administrator if AM is configured to send mail. You can configure AM to send mail in Configure > Server Defaults > General > Mail Server.
For persistent lockout, AM sets the value of the user's
inetuserstatus
profile attribute toinactive
. You can also specify another attribute to update on lockout. You can further set a non-default attribute on which to store the number of failed authentication attempts. When you do store the number of failed attempts in the data store, other AM servers accessing the user data store can also see the number.
For more information, see "Configuring Realm Authentication Properties".
Tip
To unlock a user's account, find the user under Realms > Realm Name > Identities. Select the user you want to unlock, and set their User Status property to Active. Save your changes.
For information on how authentication trees handle account lockout, see "About Account Lockout for Trees".