Unlock self-service
11.1.2. Unlock self-service

The unlock self-service allows end-users that have been locked out because of too many login failures to unlock the user account by providing the 2nd authentication factor. The user can then try to log in again.

The self-service can only be used a limited amount of times before the account is locked in a way that it can no longer be unlocked by the end-user.

As an alternative to unlocking, the user can be given the possibility to order a new password letter.

The unlock self-service has been shown to substantially reduce help desk calls arising from forgotten passwords.

Username enumeration (stealth mode).

The unlock self-service may provide information about the existence of user accounts. An adversary may use it to find user accounts.

Counting and resetting unlock attempts

  • The following are security features of the Airlock IAM unlock self-services that are applicable to the Flow architecture only (not applicable to the JSP-Loginapp):
  • Airlock IAM tracks a separate unlock attempts counter in the database.
  • The unlock attempts counter is increased for every successful attempt, when the unlock step completes successfully. If the unlock attempt fails, the counter remains unchanged.
  • The unlock attempts counter is reset once the user fully completes an authentication flow.

This setup ensures that the unlock self-service cannot be misused to lockout regular users by having the number of unlocking attempts exceed its limit. It also ensures that an attacker with control over one factor only gets a limited number of attempts on the other factor.

Further information and links