Authenticator lockout behavior
The authenticators allowed to access applications are set by the resource rules (see Create and manage resource rules). If a user enters an incorrect authentication response more times than the value set in the Lockout Count, the authenticator is locked and the user cannot access the application using that authenticator. See Manage General settings for more information about account lockout.
Locked users
A user is locked when they fail to provide a valid response after a certain number of tries to log in. The lockout policy defines whether the authenticator being used is locked or the user is locked. See Lockout Settings in Manage General settings.
Users locked due to inactivity
A user's last login is past the threshold (the amount of time) a user can be inactive before they can no longer access their account. For example, the threshold might be set to 30 days. If a user has not attempted to log in within 30 days, they are locked out of their account due to inactivity and will see the following message: "Your account is disabled due to inactivity. Contact your administrator."
Example of lockout behavior
The following provides an example of lockout behavior.
- A user has access to two applications, Application 1 and Application 2.
- The resource rule for Application 1 requires password + OTP or Token.
- The resource rule for Application 2 allows Token only.
- The Lockout Count is set to 5.
- The user accesses Application 1 and enters a valid password, but enters an incorrect Token response five times, which locks the Token authenticator.
- The user can still access Application 1 using the correct password and a valid OTP.
- The user cannot access Application 2 because it requires Token authentication and the user has locked their token authenticator by entering an incorrect response too many times.