Serg Nvns - Fotolia

Manage unsuccessful login attempts with account lockout policy

Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to prevent credential-based attacks.

Due to the often overwhelming prevalence of password authentication, many users forget their credentials, triggering an account lockout following too many failed login attempts. Upon being locked out of their account, users are forced to validate their identity -- a process that, while designed to dissuade nefarious actors, is also troublesome for legitimate users.

"Account lockout is, from a user perspective, a jarring and in-your-face experience," said Allan Foster, chief evangelist at ForgeRock.

But the experience is integral to mitigate risk, said Casey Ellis, CTO and founder of Bugcrowd.

"While inconvenient for legitimate users, it is not too inconvenient -- and it can deter attackers," Ellis said. "It is a resilient and battle-tested reset strategy that is highly available for multiple use cases."

Why enterprises need account lockout policies

Account lockout policies aim to prevent credential theft, credential stuffing and brute-force methods of guessing username and password combinations, thus preventing user account compromise and network intrusion.

This is an important aspect of not only securing enterprise systems, but also securing users' personal accounts and information. Companies must determine confidently whether users trying to authenticate are actually who they say they are, or they risk falling victim to attack.

The default approach to this is to make it harder for potential attackers to compromise accounts. There are two main techniques used to do this, Foster said. One way is to slow down the authentication cycle by making users wait longer and longer every time there is an unsuccessful login attempt, he said.

The other technique is anomaly detection. "Account providers can shut down the account when anomalous behavior is detected until they can connect with the original owner to confirm their identity for authentication," Foster explained.

Account lockout policy features

The account lockout policy is made up of three key security settings: account lockout duration, account lockout threshold and reset account lockout counter after. These policy settings help prevent attackers from guessing users' passwords. In addition, they decrease the likelihood of successful attacks on an organization's network.

Graphic displays the three security settings that make up account lockout policies.
Account lockout policies consist of three security settings: Account lockout duration, account lockout threshold and reset account lockout counter after.

Enterprises should consider a combination of these three when building an account lockout policy.

Bugcrowd's Ellis recommended Apple's iPhone password lockout policy features. "If you forget or don't properly enter your password a certain number of times, you will be unable to try logging back in to the device for a short time," he said. "Subsequent attempts extend the lockout period. This can prove that either the individual entering the password is a forgetful user or an unauthorized individual attempting to obtain illegitimate access."

How to create account lockout policies

Setting account lockout policies -- including lockout duration and thresholds -- is what Ellis called a "dark art."

There are many factors to consider when determining account lockout policy security setting values. But, because every enterprise is different, it is difficult to recommend standard values for the three security settings without calculating the organization's risk profile first. Policymakers should account for any regulatory requirements and adjust values accordingly. The capabilities of computing resources, as well as employee productivity, should also be accounted for.

It is also critical to weigh exposure risks set by the security group, ForgeRock's Foster said. "Accounts with different capabilities have different levels of risk, both to the user and to the organization in the event of a compromise," he said. "Any account where the damage that can be caused is high or is higher than normal requires a higher level of protection."

If a privileged account shows any indication of attack, the immediate response should be to assume it is an attack and to lock down the account. Administrators may want to implement unique settings for privileged accounts, such as a longer account lockout duration and lower account lockout threshold.

While this seems like a commonsense best practice, it's important to consider the nuance of privileged accounts, Foster said. For example, some privileged accounts may be responsible for planning a response to a security event. "You don't want the reaction to the threat to also compromise your ability to respond to that threat," he added.

Analyzing these factors and hypotheticals is critical to successfully creating an account lockout policy that ensures security needs and UX needs are both met.

Limitations of account lockout policies

An account lockout policy alone is not a cybersecurity silver bullet. Enabling multifactor authentication (MFA) and single sign-on (SSO) are critical measures that should also be incorporated into enterprise identity and access management programs, said Anurag Kahol, CTO and co-founder of Bitglass.

"MFA confirms user identity and investigates suspicious logins, while SSO helps organizations directly manage access to sensitive information by blocking or providing various levels of access to data and applications based on user identity and context," Kahol said.

Managing identities and access privileges has become even more demanding tasks as many organizations transition to remote work. Implementing the right policies and settings can empower administrators to manage and secure every account.

Next Steps

What is identity and access management? Guide to IAM

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing