Counting failed attempts on authentication factors and locking user accounts based on such counters is crucial for overall account security.
The flow infrastructure counts failed attempts individually for every authentication factor, i.e. for every authentication factor, there is a separate counter.
For every verifying step, an Authentication Method ID must be configured (or is sometimes hard-coded). The Authentication Method ID determines which failed factor counter is used to count failures.
The failed factor attempts counters are independent of flow types. It is therefore possible to define individual counters for every authentication method and to use these counters in all types of flows.
The following rules apply:
Counter selection | The Authentication Method ID identifies the failure counter. Every authentication method verifying step supports the configuration of the Authentication Method ID. |
Failure handling | All failed factor checks of authentication method verifying steps cause the failed factor counter for the corresponding authentication method to be increased. |
Max failed attempts counter exceeded | As soon as any one of the failed attempts counters exceeds the configured limit, the user is locked. |
Success handling | When a flow is finished successfully, all counters for steps that have been processed (and not skipped) during this flow will be reset to The failed factor counters for authentication methods that are skipped or not used remain unchanged. |
Admin unlock | When a user is unlocked by an administrator, all failed factor attempts counters are reset to 0. |
Unlock self-service | When a user successfully unlocks an account, all configured failed factor attempts counters are reset to Failed factor attempts within the unlock self-service also increase the corresponding counter. |
Independent steps | Steps that don't verify authentication methods (e.g. terms of services step) don't cause counters to be increased. |
Exceptions | Authentication Step Results may define that a specific result (e.g. password policy violations) should not count as a failed factor attempt. |
Failed factor attempt counters are not available when using MSAD as the sole persistence layer. See Microsoft Active Directory (MSAD) for Airlock IAM for resulting limitations.