Intruder lockout is a mechanism used in many authentication systems to prevent brute force attacks against knowledge-based credentials such as passwords, PINs or security questions.

Typically, a policy is formulated as follows:

  • If there have been at least M consecutive, failed attempts to sign into the profile of user U during an interval of N minutes, then:
  • Block any additional login attempts into U during the following O minutes.

This type of policy commonly prevents brute force password guessing attacks against user profiles on web sites, Active Directory domains and other systems.

There is some variety in how intruder lockouts are implemented by different systems and applications:

  • On some security systems, the lockout persists indefinitely.
  • On some security systems, the user's location (e.g., IP address) may be locked out, rather than or in addition to a user profile.
  • On some security systems, values for M, N or O above are fixed and cannot be adjusted by the organization which deployed the system.
  • On some (older) systems, the intruder lockout flag is incorrectly entangled with an administrative disable flag -- one that is set by an administrator to indicate that the user in question should henceforth not be allowed to sign in. On such systems (e.g., RACF, ACF2 on mainframes) the built-in mechanism is not sufficient to distinguish between what caused a lockout -- too-frequent failed logins or administrator action.

Users who have triggered an intruder lockout can sign into Hitachi ID Password Manager with other types of credentials, such as a hardware token or by answering personal questions and can then clear the intruder lockout on their own account.

Hitachi ID Identity and Access Management Suite differentiates between different types of "locks," and Hitachi ID Password Manager only allows users to clear intruder lockouts:

  1. Intruder lockouts: are triggered by repeated attempts to sign into a given login account with an incorrect password. They often have a timeout (i.e., automatically cleared after a set interval).

  2. Administratively disabled: the login ID was explicitly disabled by a security administrator. Hitachi ID Password Manager does not remove such locks.

  3. Password expired: the user may sign in, but can only access the password change function of the system or application. Hitachi ID Password Manager may set this flag after an assisted password reset (i.e., to force the user to change a temporary password). Hitachi ID Password Manager normally clears this flag after self-service password changes.

  4. Account expired: the account is in a state equivalent to setting the "administratively disabled" flag, but as a result of the active time period for the account expiring, rather than due to recent administrator intervention.

Not all target system types support all of the above mechanisms and some target types actually entangle them. For example, "administratively disabled" and "intruder lockout" are represented by the same flag on most mainframe systems.

In cases where the states are entangled on a target system, Hitachi ID Password Manager will either not allow users to clear the flag or, where possible, expose a plug-in point where customers can insert business logic to differentiate between different meanings of the same flag.

Return to Identity Management Concepts