Account lockout
Account lockout can protect against any attack that tries to crack secrets, such as passwords or passcodes by trial and error. It halts malicious actors once they reach the limit for unsuccessful attempts. Limiting the number of password or temporary passcode attempts should be one of your top priorities when it comes to account security.
While account lockout can mitigate brute force attacks, dictionary attacks, and credential stuffing, it can also lead to an unpleasant user experience. It's worth factoring in the honest mistakes legitimate users make when trying to log in when you set up restrictions. Strivacity's account lockout controls help you strike the right balance between ease of use and the risk levels specific to your organization.
Settings
Account lockout settings
Account lockout rules allow you to set how accounts can be disabled based on failed password and/or one-time passcode attempts.
| Failed password restrictions | Description | Status |
|---|---|---|
| Failed attempts restriction | Defines the number of unsuccessful tries a user can have when entering their password before they get locked out of the account. | Disabled by default. 10 tries are allowed by default. |
| Lockout duration | Defines the number of minutes a locked account can't be used. Users can try to log in again once the account lockout period expires. | Disabled by default. Duration set to 15 minutes by default. |
| Permanent account lockout | You can permanently lock accounts if the number of unsuccessful tries reaches the limit. | Disabled by default. |
| Failed OTP/TOTP restrictions | Description | Status |
|---|---|---|
| Failed attempts restriction | Defines the number of unsuccessful tries a user can have when entering a passcode before they get locked out of the account. | Disabled by default. 3 tries are allowed by default. |
| Lockout duration | Defines the number of minutes a locked account can't be used. Users can try to log in again once the account lockout period expires. | Disabled by default. Duration set to 15 minutes by default. |
| Permanent account lockout | You can permanently lock accounts if the number of unsuccessful tries reaches the limit. | Disabled by default. |
Permanent lockout
Users can turn to your customer support if they permanently get locked out of their accounts. Customer service can assist them with account recovery tools from the Admin Console.
Updated 5 months ago