search

Lockout Policy

This pages explains how the Lockout Policy works, what the implications are for users and how it is set.

hashtag
Lockout options and defaults

When a user exceeds a maximum number of failed attempts within a specified tine window, they will be locked out for the duration of the specified time window. This is effectively controlled by three configurable settings, with definitions of each and defaults listed below.

Lockout configurations
Description
Defaults (SaaS customers)

Max failed attempts

How many failed authentications a user is allowed before being “locked out” for the defined suspension period

5

Time window

The number of consecutive failed authentication attempts that must occur within X seconds for authentication to be suspended. Note that any successful authentication resets this to zero.

600s (10 minutes)

Suspension period

How long the account will be suspended, given the max failed attempts is exceeded during the defined time window (in seconds).

600s (10 minutes)

hashtag
How it works

  • The policy is applied per Keyless instance, per Keyless ID (representing a single user).

    • For this reason, customers that are authenticating users on both WebSDK and MobileSDK should note that a customer's errors, and any subsequent lockouts, will apply to both Web and Mobile authentication attempts.

  • We count failed authentications across the given time window (see table above). Any successful authentication before reaching the failed attempt threshold resets the failed attempt count to zero.

  • The lockout policy cannot be disabled. If a non-restrictive behavior is desired, it's recommended to set a high max failed attempts value and/or reduce sensitivity in the time window settings.

  • If you would like to change the settings at any time, get in-touch with a Keyless team member or [email protected]

hashtag
When is the lockout policy applied?

The lockout policy applies to Authentications but is not applied at all to enrollment flows.

circle-info

Note in the case of an enrollment failure, the reason the lockout policy cannot be applied is that no Keyless ID has been generated and it is therefore not possible for Keyless to track the relationship between enrollment attempts.

hashtag
If a user is locked-out

Any further authentication attempt will recieve a USER_LOCKED_OUT error

  • They must wait for the lockout duration to expire. There is no way to override or bypass this lockout.

  • If a user attempts to authenticate while being locked out, the Time Window doesn’t reset even if it’s presented with an error for having reached the maximum number of attempts.

    • In this case the biometric authentication is not attempted at all and circuits are not consumed.

Last updated

Was this helpful?