Configure lockout and unlock polices for user accounts on the STA Token Management console, in the Policy > User Policies module.

Configure the account lockout and unlock policy

This policy determines how STA handles consecutive failed login attempts.

STA locks a user’s account after an invalid OTP is used a specified number of times. If configured, STA will also send a lockout alert to the user’s email address.

STA unlocks a user’s account after the account lock duration has passed. If configured, STA will also send an account unlock alert to the user’s email address after the user successfully authenticates.

• Apply: Save changes to the policy. The button is active until changes to the policy are saved or canceled.

• Cancel: Clear unsaved changes to the policy and close the module.

• Change Log: Display the last five changes to the policy including the date and time of each change, the Operator ID, and the changed values.

• Account lock threshold: The maximum number of consecutive failed login attempts permitted for a user. If this value is exceeded, STA locks the account. The default value is 3. To disable this function, set the value to 0.

• Alert User on account lockout: If checked, STA sends an alert to the user after the user’s account changes state from Unlocked to Locked.

• Alert User on account unlock: If checked, STA sends an alert to the user after the following two conditions are met: 1) the user’s account changes state from Locked to Unlocked and 2) the user successfully authenticates.

  Although the account may be configured to unlock after 5 minutes (for example), STA sends the account unlock alert only when the user successfully authenticates after the lockout period; which may be 15 minutes after the account is unlocked (for example). In other words, STA validates the unlock policy only after the user successfully authenticates.

• Account lock duration: The time in seconds, minutes, or hours that must elapse – after an account is locked – before the account automatically unlocks. The default value is 15 minutes. In the case where the value is 0 when the user authenticates their locked account, the account will automatically unlock.

  Any change to the account lock duration value will apply only to lock events that occur after the change. For example, if a user’s account is locked while the value is 1 day – and the administrator reduces the value to 15 minutes – the user must still wait the remainder of the 1 day that applied when the account was locked, before their account is unlocked.

Configure the dormant account lockout policy

Some compliance regulations require that dormant user accounts be automatically locked and not be permitted to authenticate. A dormant account is one that has not logged on for a defined period of time.

The Virtual Server uses the Dormant Account Lockout Policy to determine how long after the last successful logon an account is considered to be dormant and becomes locked.

• Apply Button: Active when the policy is modified. Use to commit policy change.

• Cancel: Clears any uncommitted change to the policy and closes the module.

• Change Log: Displays a list of the last 5 changes to this policy, including the date and time of each change, changed by Operator ID, and the value that was specified.

• Dormant Account Threshold: Allowed range in days is: 0 (default, threshold disabled) to 365. Input limited to integers in this range.