Managing Users Lock Out

The lockout feature is an account management policy requirement to automatically block a user account after a given number of failed authentication attempts.

This task shows you how to:

Configure lockout filter

  1. Click Security, then the Lockout tab.
  2. To activate the lockout feature, select the Enable lockout after consecutive failures per session option (which is not selected by default).

    Set the number of authorized consecutive failures. The number of authorized consecutive failures is set equal to 5. You can enter only a positive integer greater than or equal to 1.

    Once the lockout feature has been activated, when a user logs in several times and user credentials cannot be validated, a specific error message is displayed to inform the user that the account is now locked out and that the user must contact the 3DPassport administrator to unlock it.

    For example, if you set the Number of authorized consecutive failures as n, then from the n login failure the user will get a message informing that his account has been locked.

    This message is always displayed to the user after lockout, even if the user enters a correct or an incorrect password.

    From the main page of the 3DPassport Control Center, click Audit then the Logs tab.

    An audit entry is written in the logs about the lockout event. For example:

    Level: INFO – Type: USERAUDIT 
     User account xxx has been locked out.
      Level: FATAL – Type: USERAUDIT
    User xxx has been locked out. (Too many login attempts)

    There are two operating modes:

    • when you use the default Per session option, the lockout will occur after the specified number of failures during a single session timeframe
    • when you use the On any session option in the Count consecutive failed attempts section, consecutive and cumulative failed attempts are counted globally over time and not only during the time frame of a single session .

    An account will be locked out only after a determined number of unsuccessful consecutive authentication attempts, depending on the mode selected (during the same session or globally over time).

    In both cases, the number of failure attempts are persisted in the database and will be reset when the account is unlocked by the administrator or once the user is successfully authenticated.

    The 3DPassport administrator will receive an e-mail notification each time an account is locked out.

    3DPassport will detect whether a user account has been locked out and forbid any authentication with this account until it has been unlocked. The user account will remain deactivated until the administrator reactivates it using the Manage locked out users option.

Manage locked out users

This option is available for Administrators and Support(on the cloud only) .

  1. Click Security, then the Lockout tab.

    The list of locked out users (classified by their identifier and the date when the account was locked) appears in the Manage locked out users section.

    You can use the search bar to find a user with a name or email.

    Click in the Creation Time column to sort users according to the lockout creation time.

  2. To unlock the account, click Unlock.

    From the main page of the 3DPassport Control Center, click Audit then the Logs tab.

    A message like this will be displayed in the search logs:

    Level: INFO – Type: USERAUDIT
    User account xxx has been unlocked by administrator.

    and the user should be able to log in again.

    When an administrator account has been locked out, it can be unlocked by running the following SQL command on the 3DPassport main database:

    DELETE FROM locked_out_users WHERE ds_user_identifier='<username>';

    where <username> is the username of the locked out user to unlock.

    The following example specifies the command to run to unlock the admin_platform user:

    DELETE FROM locked_out_users WHERE ds_user_identifier='admin_platform';
    Note: The lockout mechanism should work the same way wether in Per session or On any session scope when LDAP (with or without synchronization) is plugged into 3DPassport.