Previous Topic: APS Configuration File (APS.CFG)Next Topic: Obtain the OID of Realms Protected Configured for OTP Authentication


How to Configure a Separate Maximum Failure Counter and Threshold for OTP Authentication

Password cracking programs attempt to log in to accounts by trying various combinations of passwords until one works. A counter to this kind of attack is to disable a user account after a specific number of invalid passwords have been entered consecutively.

The Advanced Password Services Max Failures parameter allows you to specify the maximum number of consecutive failed passwords that can be supplied before an account is disabled.

By default, Max Failures is applied and the failure count is aggregated across all authentication mechanisms. Therefore, if a user exceeds the Max Failures threshold using any combination of authentication schemes, they are locked out. However, you can override Max Failures to configure an independent failure attempt counter and threshold for realms that are configured with OTP authentication.

A separate failure counter is maintained for overridden realms; user login failures are not aggregated between realms that are configured with OTP and all other realms.

You override Max Failures for realms that are configured with OTP authentication by specifying the following two parameters in the APS.cfg file:

Override Max Failure for Realm OIDs

Specifies the Object ID (OID) or OIDs of OTP-protected realms for which to override the Max Failure threshold.

Realm based Max Failures

Specifies the number of consecutive failed logins attempts a user can make on overridden realms before their account is disabled.

For example, consider a site that is configured to allow users to log in using a standard password or a one-time password (OTP). To configure APS to allow three failed standard password attempts or five failed OTP attempts before disabling a user account, specify the following parameters in APS.cfg:

In this case, a user can now execute two bad username and password attempts and four bad OTP attempts without their account being locked. However, if they make three bad username and password attempts or six bad OTP attempts they are locked out.

All failure counters are reset for a user account when either of the following events occurs:

  1. Obtain the OIDs of realms that are configured with OTP authentication.
  2. Configure the required parameters in the APS.cfg file.
  3. Verify that the Max Failures value is overridden for OTP authentication.