The Intrusion Lock feature provides Account Admins an increased-level of security around account access, automatically locking out a user after a certain number of failed login attempts.
Account Admins wanting to utilize the Intrusion Lock feature can select both the number of incorrect passwords which can be attempted before a user is locked out as well as the duration of the lock out, including an indefinite option.
Once the lockout period has ended, the account will automatically unlock and the user will be able to attempt to login again. At any point during the duration of the lockout, the Account Admin can manually unlock the user’s account. Any account with an indefinite lockout period must be unlocked manually.
Users attempting to login with an incorrect password will see a message notifying them of the number of additional failed login attempts they are allowed before they will be locked out of their account. Once locked out, they will be prompted to contact support if they believe they were locked out in error.
Enable intrusion lock
To enable Intrusion Lock for an account:
- Navigate to the Settings page by clicking the cog in the top navigation bar.
- Next, click the Manage button in the Security section.
- Select the number of failed login attempts you want to allow before lockout via the first drop down.
- Options are 3, 5, 7, or 10 bad passwords
- Options are 15, 30, or 60 minutes OR "Indefinite"
- Choosing "indefinite" will require an Administrator to manually unlock the user.
Unlocking a user
In order to unlock a locked out user, go to the User page by selecting Users the in the left hand navigation bar of the main screen. Find the locked out user or users as indicated by a red padlock icon next to the user’s email address. Click Edit to access the Roles and Status section for that user and toggle the Intrusion Lock Status switch. Click the Save button and the user will be unlocked.
- Currently, the Account Admin is not proactively notified when a user locks themselves out. The indicator that a user is locked out is a red padlock icon next to the user’s email address on the Users page.
- Locked out users will not be able to take any other actions via the login screen, including changing their password via the “Forgot your password?” link. It is not necessary to reset a user’s password when unlocking an account. If a user has forgotten their password, the Account Admin can first unlock the account and then direct the user to reset it via the “Forgot your password?” link.
- A user’s account cannot be manually disabled via the Intrusion Lock feature. If an Account Admin wants to intentionally disable a user, it should be done via the Account status toggle switch in the user’s Roles and Status section.