13.20 Lockout Options

In this policy, you can configure settings to lock a user’s account when the user fails the maximum failure attempts of login. This enhances security by preventing the guessing of passwords and one-time passwords (OTPs).

You can configure the following options in this policy:

  • Enable: An option to enable the lockout settings.

  • Attempts failed: The limit of failure attempts of authentication, after which the user’s account is locked. The default value is 3.

  • Lockout period: The period within which the user’s account is locked and the user cannot authenticate. The default value is 300 seconds.

  • Lock in repository: The option to lock the user account in repository. You cannot use Lockout period if you enable this option. Only the system administrator must unlock the user in the repository.

    IMPORTANT:You must configure the appropriate settings in your repository for the options to function appropriately. For Active Directory Domain Services, you must enable the Account lockout threshold policy on Domain Controllers.

    For NetIQ eDirectory, you must configure the Intruder Detection appropriately.

    After a user’s account is locked (not in the repository), you can unlock the user account. To do this, click Repositories > Edit > Locked Users and click Remove against the user’s account name.

    The Helpdesk administrator can also unlock the locked users, if the Allow to unlock user accounts is enabled in the Helpdesk Options policy.

  • Lock if authenticator test was failed: This option allows to lock the users who fail an authenticator's test in the Self-Enrollment portal for the number of times specified in Attempts failed.

    By default, this option is set to OFF. This indicates that the users will not be locked if they fail in the test process in the Self-Enrollment portal. You can enable the option to lock the user who tests an enrolled method and the test fails for the number of times specified in Attempts failed.

    IMPORTANT:To enable the Lock if authenticator test was failed option, ensure to enable the Lockout Options policy.