Skip to content

Managing Lockout Settings

Identity Security Cloud locks a user account if they fail to enter the correct password after a certain number of times when trying to sign in or reset a password.

By default, if a user or an unauthorized person provides the wrong password five times in a row in a five-minute period, they are locked out of their account for 15 minutes. You can change the default settings to meet the requirements of your organization by following the process described below.

Note

The sign in page does not warn the user that this is happening to prevent malicious activities such as brute force attacks. However, the user does receive an email notification that indicates when and where the attempts occurred and when the account will be unlocked.

After 15 minutes, the user can try again or choose to reset their password.

Important

If your tenant is configured to restrict users from unlocking their account or resetting their password based on their country or network, these options might not be available to all users.

Be aware of how these lockout settings might interact with pass-through authentication sources. If Identity Security Cloud is configured to use pass-through authentication, locking the Identity Security Cloud account also locks their Active Directory or other primary account.

If users are locked out because of failed sign ins, they can choose to unlock their account or reset their password​ to access the system immediately. If a user needs help resetting their password or you believe their account is compromised, you can reset their password for them.

To manage lockout settings:

  1. Select Global > Security Settings > Lockout Management. Lockout Management panel with Sign in and Reset lockout settings.

  2. Under Sign In Lockout Settings, use the dropdown menus to set the:

    • Maximum Attempts - The number of times someone can enter the wrong password before the account is locked.

    • Minutes Until Attempt Count Resets - The period during which the number of failures is counted. For example, by default, if someone enters the wrong password five times within a five-minute period, they are locked out. However, if they enter four wrong passwords and then take a break for five minutes, they can try again without being locked out because the failure count resets.

    • Minutes User is Locked Out - How long the account is locked before the user can try again.

  3. Under Password Reset Lockout Settings, use the dropdown menus to set the maximum attempts and minutes the user is locked out of the account.

If a user successfully enters their password but fails the security questions, they are not locked out of their accounts.

However, if a user is resetting their password and fails the questions, they will be temporarily blocked from resetting their password.

The attempt limit and duration of being blocked are configured in Global > Lockout Management > Password Reset Lockout Settings.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.