Configure lockout filter
- Click Security, then the Lockout tab.
-
To activate the lockout feature, select the Enable lockout after
consecutive failures per session option (which is not selected by
default).
Set the number of authorized consecutive failures. The number of authorized consecutive failures is set equal to 5. You can enter only a positive integer greater than or equal to 1.
Once the lockout feature has been activated, when a user logs in several times and user credentials cannot be validated, a specific error message is displayed to inform the user that the account is now locked out and that the user must contact the 3DPassport administrator to unlock it.
For example, if you set the Number of authorized consecutive failures as n, then from the n login failure the user will get a message informing that his account has been locked.
This message is always displayed to the user after lockout, even if the user enters a correct or an incorrect password.
From the main page of the 3DPassport Control Center, click Audit then the Logs tab.
An audit entry is written in the logs about the lockout event. For example:
Level: INFO – Type: USERAUDIT User account xxx has been locked out. Level: FATAL – Type: USERAUDIT User xxx has been locked out. (Too many login attempts)
There are two operating modes:
- when you use the default Per session option, the lockout will occur after the specified number of failures during a single session timeframe
- when you use the On any session option in the Count consecutive failed attempts section, consecutive and cumulative failed attempts are counted globally over time and not only during the time frame of a single session .
An account will be locked out only after a determined number of unsuccessful consecutive authentication attempts, depending on the mode selected (during the same session or globally over time).
In both cases, the number of failure attempts are persisted in the database and will be reset when the account is unlocked by the administrator or once the user is successfully authenticated.
The 3DPassport administrator will receive an e-mail notification each time an account is locked out.
3DPassport will detect whether a user account has been locked out and forbid any authentication with this account until it has been unlocked. The user account will remain deactivated until the administrator reactivates it using the Manage locked out users option.