Setting up account lockout
Account lockout is a security feature that, when enabled, applies to all non-SSO users in your system. This feature prevents a user from logging in once they’ve made a number of failed login attempts. You choose the number of attempts that will trigger lockout.
Locking accounts prevents hackers from accessing your system via brute force attack (i.e. attempting access by entering many passwords in succession).
You’ll also be able to choose how long the lockout lasts. One option is to lock the user out indefinitely, and only allow them access after an administrator grants them access.
You can also choose to allow users to break the lockout by resetting their password.
Locked status is not the same as disabled status; locked out users are still enabled.
Enabling account lockout
To enable account locking:
- Go to Administration > System and Security > Security Settings.
- From the Maximum Invalid Login Attempts field, select how many failed login attempts (i.e. the wrong user name or password is used) will trigger lockout.
No Limit leaves account lockout disabled; users are never locked out with this setting.
A new Lockout Duration field displays when you change this setting from No Limit.
- Select the duration that will apply to all users.
Choose Forever if you want an administrator to have to enabled locked out users.
- If you want users to be able to unlock their account by resetting their password, enable to Password reset unlocks account check box.
If you enable this option, users can select the Forgot your Password or User Name link on the login page.
Unlocking a locked account
If a user alerts you that they’ve been locked out, you can unlock their account.
To do this:
- Go to Administration > Employees and Organization > Users.
- Select the user in question.
At the top of their main user profile page, you’ll see an Account Locked message.
- Click the Unlock Account
The user should be able to log in to their account now, providing they’re using the correct credentials.
Refer to I forgot my user name / password for information on retrieving credentials.
What do locked out users see?
When a user is locked out, they’ll see a message above the login fields, stating they were locked out, and telling them when they will be allowed access again. If the lockout duration is set to something less than forever, the lockout time remaining will count down in this message.
Is the lockout status available in reports?
Yes, a Lock Status field is available in the User Detail report.
Setting user sessions to automatically time out
Setting up multi factor authentication (MFA)
Setting password complexity and expiry rules