Failed login counters and temporary locking

Authentication failures are counted and persisted by Airlock IAM. Based on this information, user accounts can be locked. There are different counters and different ways to lock user accounts.

Failed counter type

Counter type


Auth-factor counters

IAM counts failures per authentication factor, i.e., it counts individually for each factor. A factor can be, for example, a password, Airlock 2FA, mTAN, email, etc.

If one (or more) of the factor counters reach a configured threshold, the user account is locked.

A factor counter can only be reset if the corresponding authentication factor is successfully used (e.g. a password successfully checked).

This way of counting leads to more secure and better understandable setups if using several authentication flows and especially step-up authentication.

It is used by the Loginapp UI, Loginapp REST API, and the Transaction approval REST API.

Account lockout types

Airlock IAM supports two types of account lockout:

Lockout type



The account is permanently locked if the failed attempts reach the configured threshold.

  • The user account cannot be used for authentication until it is manually unlocked.
  • It is configurable if OAuth sessions are terminated or remember-me cookies are removed in case of an account lock.
  • An account can be unlocked by an administrator or the helpdesk or - if configured - by the end-user using unlock self-service.


Temporary locking forces the end-user to wait for an increasing period between successive failed login attempts, rendering brute-force attacks impractical while keeping help desk efforts low.

  • Accounts are not permanently locked (unless the configured threshold causes a permanent lockout - see above).

Note that failed login counters are unavailable when using MSAD as the only persistence layer. SeeĀ Microsoft Active Directory (MSAD) for Airlock IAM for resulting limitations.