Identity Cloud

Account lockout

Account lockout is a security mechanism that locks a user account after repeated failed login attempts. It is used to slow down brute-force attacks and compensate for weak password policies.

You can configure account lockout in one of the following ways:

Persistent lockout

Persistent (physical) lockout locks the user account indefinitely until unlocked by a tenant administrator. This is the default type of account lockout.

For persistent lockout, Identity Cloud sets the user account status to inactive in the user profile, and tracks failed authentication attempts by writing to the user repository.

Duration lockout

Duration lockout locks the user account for a specified duration, keeping track of the locked state in memory or in the data store. Unlike persistent lockout, the user account status remains active.

Duration lockout is released when Identity Cloud services restart.

Failed login attempts during the transactional authorization flow do not increment account lockout counters.

Configure account lockout

  1. In the Identity Cloud admin UI, select Native Consoles > Access Management.

  2. Go to Realms > Realm Name > Authentication > Settings > Account Lockout.

  3. Enable lockout by checking Login Failure Lockout Mode, then set the number of attempts and the lockout interval.

  4. Set the Login Failure Lockout Duration:

    1. To configure persistent lockout, set Login Failure Lockout Duration to 0.

    2. To configure duration lockout, set Login Failure Lockout Duration to a positive value.

  5. Click Save Changes.

Success and Failure nodes

If you enable account lockout in a realm, the Success and Failure nodes play a key role in modifying journey behavior. The Success node resets the number of invalid attempts to zero. The Failure node increments the number of invalid attempts and triggers Warn User After N Failures messages.

Success node

This node does the following:

  • Checks the Status property of the user profile, when reached. If the account is marked as Inactive, the node fails the authentication with an error message:

    Account locked error when reaching Success node.

    The error message is returned in the JSON response if authenticating to the journey over REST:

    {
    "code":401,
    "reason":"Unauthorized",
    "message":"User Locked Out.",
    "detail":
    {
        "failureUrl":""
    }
}

  • If the User Status property is set to Active, the node resets the failure count in the user profile, when reached.

Failure node

This node does the following:

  • If you select Authentication > Settings > Account Lockout > Login Failure Lockout Mode for the realm (under Native Consoles > Access Management), the node checks the invalid attempts property of the user profile. It returns a warning message if the number of failed attempts is equal to or greater than the configured Warn User After N Failures value:

    Invalid attempts limit warning when reaching Failure node.

    The error message is returned in the JSON response if authenticating to the journey over REST:

    {
    "code":401,
    "reason":"Unauthorized",
    "message":"Warning: You will be locked out after 1 more failure(s).",
    "detail":
    {
        "failureUrl":""
    }
}

  • Increments the failure count in the user profile, when reached.

  • Returns an error message if the account is marked as Inactive:

    Account locked error when reaching Failure node.

    The error message is returned in the JSON response if authenticating to the journey over REST:

    {
    "code":401,
    "reason":"Unauthorized",
    "message":"User Locked Out.",
    "detail":
    {
        "failureUrl":""
    }
}

Lockout-specific nodes

Authentication journeys also provide lockout-specific nodes for checking and changing the status of a user:

Account Active Decision node

Use this node to determine whether an account is considered locked or unlocked.

  • The account is considered locked under these conditions:

    • The status is inactive.

    • The status is active and a duration lockout is set on the account.

  • The account is considered unlocked under this condition:

    • The status is active and no duration lockout is set on the account.

Account Lockout node

Use this node to change the account’s status to inactive or active.

When setting an account to inactive, the node does not consider the realm’s account lockout settings, so effectively sets a persistent lockout on the account.

When setting an account to active, the node also resets the failed attempts and lockout duration counters.

Copyright © 2010-2023 ForgeRock, all rights reserved.