Client study: Account Lockout process
We will cover the following scenarios:
Scenario 1.1 Login: Standard login screen
Scenario 1.2 Login w/ error: Standard login screen with error state “The credentials you entered were incorrect. Reminder: passwords are case sensitive”
Scenario 1.3 Login w/ error: Standard login screen with elevated error state “The credentials you entered were incorrect. Reminder: passwords are case sensitive. If you are having trouble, you may change your password now”
Password reset is an active link
Scenario 1.4 Lockout screen: Warning prompt
Warning msg: “Sorry. You have entered the wrong credentials too many times. For security reasons we limit the number of sign-in attempts. Please try again later. You may also Reset your password now. ”
Password reset is an active link
We recommend an allowance of three failed attempts before instituting an incremental delay increase for each sequential failed attempt.
Determining Lockout Flow:
Determining Lockout Stages
(Note - Messaging is not final copy. It is meant simply to convey the direction of an appropriate message.)
1st Login - 2nd attempt = Standard login screen for the 1st – 2nd Fail = (No change)
3rd attempt - 6th attempt = Scenario 1.2 Login w/ error: Standard login screen with error state
Error MSG: “The credentials you entered were incorrect. Reminder: passwords are case sensitive”
Reload Login = Standard login screen (+10 second delay added to credential acceptance on page load. This will be increased by 10 Seconds for each consecutive failed attempt)
7th attempt - 9th attempt = Scenario 1.2 Login w/ error: Standard login screen with elevated error state
Error MSG: “The credentials you entered were incorrect. Reminder: passwords are case sensitive. If you are having trouble, you may change your password now”
Reload Login = (We are currently at 50 Seconds +10 second delay added to credential acceptance on page load. This continues to increase by 10 Seconds for each consecutive failed attempt)
10th attempt = Scenario 1.4: Account lockout for 30 Minutes
Error MSG: “Sorry. You have entered the wrong credentials too many times. For security reasons we limit the number of sign-in attempts. Please try again later. You may also Reset your password now. ”
Reset Password links to reset URL. Fire off email to the user email on file:
Email msg: "We notice you are having trouble logging in to your account. Don't worry, your account is still secured. However, If you forgot your password, or are having trouble accessing your account... [Provide Instructions on how to change password]. [Include customer messaging as to security protocol]"
Login attempt will fail once threshold has been exceeded. This is remains true until such time as the delay threshold has been met. It is important to understand that this failure will happen even when login attempt is correct.
After the first unsuccessful login attempt we show error state:
After three unsuccessful login attempts we begin throttling attempts in 10 second increments – Increasing by ten seconds for each successive failed attempt.
By 7th failed login attempt we elevate the forgot password and change message
On 10th failed attempt we lockout the account and fire a click back to the email on file.
Click back should:
Address guest by name and announce to the guest that there was some problem accessing the account. NOTE: Email should assure guest that no access was granted.
Alert the guest that the account will unlock by itself within the specified timeline and no further action is necessary.
Allow guest to change password
Allow guest to report if they feel any issues result
Client questions to address:
Since you are using a light box login process, Should lockout require the user to close the dialog and reload the “login”?
FOLLOW UP: Lockout does not require the login process to reset each time.
We discussed an error escalation - Is that still on the table?
FOLLOW UP: We escalate the error message at the halfway point - Approx 7 Attempts.
Research shows that number of tries before lockout should be 4-10 – We are breaking the flow on three to begin incremental successive delay. Is there room for discussion?
FOLLOW UP: We stuck with three because it was shown that it really didn't affect the user until the standard lockout time exceeded 4-5 failed attempts in a row.
Can we get out of “lockout jail” through an email click back response?
FOLLOW UP: Only if the end user reset their password through a clickback
If yes on the previous question, should we include a verification code with the click back that allows the user access without requiring a password rest?
FOLLOW UP: It was determined that once lockout had taken place, the user could either reset their password and access their account immediately, or wait until they were out of the "lockout jail" and attempt again. After a second failed cycle... The account would require a password reset.
Do we fire a lockout msg off prior to the user being at final lockout? If so, when do we fire the lockout email?
FOLLOW UP: It was determined that we would only fire off an email if the final lockout happened, so as to not needlessly confuse or concern a user as to their current account security status.
How long after successive tries do we restart as if no previous attempts were made? -
FOLLOW UP: We determined that we will allow 30 Minutes to cycle between a lock out and first reset. The second cycle will be 60 Minutes.
Bill Cheswick AT&T:
(Taken from Open Web Application Security Project(OWASP) lecture.)
“Lock the account in increasing time increments”
“Remind the user of password rules.”
“Don't count duplicate password attempts (they probably thought they mistyped it)”
PCI Data Security Standards
“Set the lockout duration to thirty minutes or until administrator enables the user ID.”
“The threshold that you select is a balance between operational efficiency and security…”
“ To allow for user error and to thwart brute force attacks, a setting above 4 and below 10 could be an acceptable starting point for your organization.”
“Add a time-delay between sign-in attempts.”
“Add a penalty period if a person has typed a wrong password more than “X” number of times.”
“…Make it easy for the user to understand and fix the error. Clearly explain which requirement was missed and what the user should do to correct it.”
“Put “Forgot username” and “Forgot password” links in close proximity to their respective fields.”