Authentication failures are counted and persisted by Airlock IAM. Based on this information, user accounts can be locked. There are different counters and different ways to lock user accounts.
Failed counter type
Counter type | Description |
---|---|
Auth-factor counters | IAM counts failures per authentication factor, i.e., it counts individually for each factor. A factor can be, for example, a password, Airlock 2FA, mTAN, email, etc. If one (or more) of the factor counters reach a configured threshold, the user account is locked. A factor counter can only be reset if the corresponding authentication factor is successfully used (e.g. a password successfully checked). This way of counting leads to more secure and better understandable setups if using several authentication flows and especially step-up authentication. It is used by the Loginapp UI, Loginapp REST API, and the Transaction approval REST API. |
Account lockout types
Airlock IAM supports two types of account lockout:
Lockout type | Description |
---|---|
Permanent | The account is permanently locked if the failed attempts reach the configured threshold.
|
Temporary | Temporary locking forces the end-user to wait for an increasing period between successive failed login attempts, rendering brute-force attacks impractical while keeping help desk efforts low.
|
Note that failed login counters are unavailable when using MSAD as the only persistence layer. SeeĀ Microsoft Active Directory (MSAD) for Airlock IAM for resulting limitations.
Further information and links
- Internal Links:
- Loginapp REST API related: