Login
    Contenu x
    User Account Locking
    • 07 Jan 2025
    • 3 Minutes à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    User Account Locking

    • Mis à jour le 07 Jan 2025
    • 3 Minutes à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    A user may be unable to log on via OneSpan Authentication Server, if:

    • The user account has been locked.
    • The authenticator application has been locked out from usage by the active policy.

    The mechanisms to lock a user account and an authenticator application are different. Both mechanisms, however, can be used to enhance security by preventing brute-force hacking.

    User account locking

    Each user account contains a user lock count. This value is incremented whenever the user performs an unsuccessful authenticator operation, e.g. attempting a logon via OneSpan Authentication Server with an incorrect one-time password (OTP) or unsuccessfully attempting to validate a signature. It is not incremented in case of technical issues or wrong configuration, e.g. if a user attempts a push notification–based authentication, but the PNID is missing. The user lock count is reset to zero when the operation is successful, e.g. a correct OTP is used.

    Each policy contains a user lock threshold. If a user's lock count equals or exceeds the user lock threshold in the policy in use, the user account will be locked.

    If a user account is already locked and user auto-unlock is enabled, the user lock count contains the number of (unsuccessful) unlock attempts using user auto-unlock.

    You can unlock a locked user account in different ways:

    • Manually using the Administration Web Interface.

      You need an administrative account with the Unlock User privilege to manually unlock a locked user account.

    • Automatically via user auto-unlock.

      The user auto-unlock mechanism allows a user to implicitly unlock a locked user account during a regular authentication or signature validation attempt. It is enabled and configured using policies.

      Note that a user account that has been explicitly locked by an administrator cannot be unlocked by the user auto-unlock mechanism.

      By default, user auto-unlock is disabled. To enable it you need to set Maximum Unlock Tries accordingly in the applicable policy, that is the maximum number of unlock attempts. Furthermore, you can set the minimum lock duration before another unlock attempt is allowed and a lock duration multiplier to increase the lock duration after each unsuccessful unlock attempt. A default policy prepared to support user auto-unlock is included in the set of pre-loaded policies, i.e. IDENTIKEY Local Authentication with Auto-Unlock.

      For more information about user auto-unlock, refer to the OneSpan Authentication Server Product Guide, Section "User account auto-unlock".

    To unlock a locked user account manually

    1. Open the Administration Web Interface.
    2. Locate and view the respective user account.
    3. Click Unlock.

    Authenticator application locking

    Each authenticator application contains an error count value. This value is incremented when the user enters an incorrect OTP or electronic signature and the active policy has the following authenticator application settings:

    • The identification threshold or signature threshold is greater than zero.

    • The authenticator application is the only one available for use for authentication or signature validation. This means that regardless of how many authenticator applications are available on a user's authenticator, the policy should force all authentication or signature validation attempts to go through one specific authenticator application.

      As long as the policy forces all authentication or signature attempts to go through one authenticator application, the error count value will increment with each failed attempt. This is independent from the number of authenticator applications on any user's authenticator or what kind of authenticator application is being forced to perform the operation.

    An identification threshold and signature threshold is set in each policy (under the DP Control Parameters tab in the Administration Web Interface). By default it is set to zero, meaning that the error count will not be checked and authenticator application will be available. If either the identification threshold or the signature threshold is set to a value greater than zero, an authenticator application with an error count reaching either threshold will be locked out from usage by the policy.

    The error count is automatically reset to zero in the following cases:

    • A correct OTP or electronic signature is used.

      -AND-

    • The error count has not yet reached either the identification threshold or signature threshold.

    To reset the error count manually

    1. Log on to the Administration Web Interface.
    2. Open the authenticator record.

    3. Switch to the respective authenticator application tab and click Reset Error Count.

      In some cases, this function may be available from the Other Actions menu.

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle