User account auto-unlock

A user account can become locked after a specified number of unsuccessful authentication attempts. Unlocking a locked user account usually requires assistance from an administrator.

To ease the unlock effort and reduce support incidents, you can allow users to unlock a locked user account themselves without administrative assistance using user auto-unlock.

Basic concepts

The user auto-unlock mechanism allows a user to implicitly unlock a locked user account during a regular authentication or signature validation attempt. It is enabled and configured using policies.

For security reasons, user auto-unlock works only if the user account has been locked after too many consecutively failed authentication attempts. A user account that has been explicitly locked by an administrator cannot be unlocked by the user auto-unlock mechanism.

When a user account becomes locked, it remains locked for a specified time span, i.e. the lock duration. After that time span the user may try to authenticate again. If authentication succeeds the user account is unlocked at the same time. If authentication fails the user account remains locked. The number of maximum unlock attempts is limited. If no more unlock attempts are left, the user account remains locked and can only be unlocked by an administrator.

After each unsuccessful unlock attempt the effective lock duration is increased by a specified multiplier, thus increasing the time span before the user may try to unlock the user account again. Note that the effective lock duration is considered to begin from the last authentication request. Attempting to unlock by authenticating (even with a valid password or OTP) before the lock duration has elapsed does not count as an unlock attempt (and does not unlock the user account). However, since it is considered an (unsuccessful) authentication request, the last authentication request time is updated, meaning that the lock duration begins again.

Configuration

By default, user auto-unlock is disabled. To enable and configure it, you need to change the applicable policy accordingly. A default policy prepared to support the user auto-unlock feature is included in the set of pre-loaded policies, i.e. IDENTIKEY Local Authentication with Auto-Unlock. For more information, refer to the OneSpan Authentication Server Administrator Guide, Section "User account locking".