Failed login counters and temporary locking

Authentication failures are counted and persisted by Airlock IAM. Based on this information, user accounts can be locked. There are different counters and different ways to lock user accounts.

Failed counter types

Counter type


Auth-factor counters

IAM counts failures per authentication factor, i.e., it counts individually for each factor. A factor can be, for example, a password, Airlock 2FA, mTAN, email, etc.

If one (or more) of the factor counters reach a configured threshold, the user account is locked.

A factor counter can only be reset if the corresponding authentication factor is successfully used (e.g. a password successfully checked).

This way of counting leads to more secure and better understandable setups if using several authentication flows and especially step-up authentication.

It is used by the Loginapp REST UI, Loginapp REST API, and the Transaction approval REST API.

Global counter

The global counter is increased if any type of authentication attempt failed (independent of the used factor). The global counter is reset after successful login.

The user account is locked if the global counter reaches a configurable threshold.

It is used by the JSP-Loginapp. To ensure secure step-up authentication the JSP-Loginapp counts failed step-up attempts separately.

Account lockout types

Airlock IAM supports two types of account lockout:

Lockout type



The account is permanently locked if the number of failed attempts reaches the configured threshold. The user account cannot be used for authentication until it is manually unlocked.

An account can be unlocked by an administrator or the helpdesk or - if configured - by the end-user using unlock self-service.


Temporary locking forces the end-user to wait for an increasing time period between successive failed login attempts in order to render brute force attacks impractical while keeping help desk efforts low.

Accounts are not permanently locked (unless the configured threshold causes a permanent lockout - see above).

Note that failed login counters are not available when using MSAD as the only persistence layer. SeeĀ Microsoft Active Directory (MSAD) for Airlock IAM for resulting limitations.