Intruder lockout is a mechanism used in many authentication systems to prevent brute force attacks against knowledge-based credentials such as passwords, PINs or security questions.

Typically, a policy is formulated as follows:

  • If there have been at least M consecutive, failed attempts to sign into the profile of user U during an interval of N minutes, then:
  • Block any additional login attempts into U during the following O minutes.

This type of policy commonly prevents brute force password guessing attacks against user profiles on web sites, Active Directory domains and other systems.

There is some variety in how intruder lockouts are implemented by different systems and applications:

  • On some security systems, the lockout persists indefinitely.
  • On some security systems, the user's location (e.g., IP address) may be locked out, rather than or in addition to a user profile.
  • On some security systems, values for M, N or O above are fixed and cannot be adjusted by the organization which deployed the system.
  • On some (older) systems, the intruder lockout flag is incorrectly entangled with an administrative disable flag -- one that is set by an administrator to indicate that the user in question should henceforth not be allowed to sign in. On such systems (e.g., RACF, ACF2 on mainframes) the built-in mechanism is not sufficient to distinguish between what caused a lockout -- too-frequent failed logins or administrator action.

Users who have triggered an intruder lockout can sign into Hitachi ID Password Manager with other types of credentials, such as a hardware token or by answering personal questions and can then clear the intruder lockout on their own account.

Return to Identity Management Concepts