Lazy Diary @ Hatena Blog

PowerShell / Java / miscellaneous things about software development, Tips & Gochas. CC BY-SA 4.0/Apache License 2.0

What can you do with account lockout and its unlock

Purpose of account lockout

These are some purpose for account lockout, such as:

  • Detect login attempts 1
    • Example: Logging 2
  • Slow down login attempts
    • Example: Duration-based lockout, scrypt, Argon2
  • Interrupt login attempts
    • Example: Requires multi factor authentication
  • Passive counter measure for login attempts
    • Example: Requres a phone call for admin 3
  • Active counter measure for login attempts
    • Example: Take a photo by front camera 4
  • Prevent information leakage
    • Example: Data wipe

Method for unlock

There are some way to unlock the locked accounts, such as:

  • Operation-less unlock: Unlock after account lockout duration (e.g. Account Lockout Policies in Windows)
  • Operation by oneself: Unlock with e-mail or SMS (e.g. Twitter)
  • Operation by others: Unlock with the operation of administrators (e.g. Active Directory)

Note that the unlock operation by oneself should use authentication factors other than something you know (∋ passwords) to prevent continuous attacking.

Suitable purpose and situation

Each unlock method has suitable purposes and situations. For example, unlock after account lockout duration can detect and slow down login attempts, but cannot interrupt login attempts. Also, some system considers lockout duration as downtime (e.g. operator-side interface of call center systems; it requires real-time operation), and some doesn’t (e.g. Facebook; users can see articles and messages after unlocking). It depends on the features of the system. The table below shows the purposes that each unlock method fulfills.

# Purpose Unlock after lockout duration Unlock with e-mail or SMS Unlock with operation of administrators
1 Detect attempts
2 Slow down attempts
3 Interrupt attempts
4 Passive countermeasure
5 Active countermeasure
6 Prevent information leakage

  1. In this list, “login attempts” means brute force attack, dictionary attack, or password list attack. IP-based lockout to prevent reverse brute force attack is out of scope of this article.

  2. Strictly this is not a feature of account lockout function.

  3. In Japan, evert phone call (and its geolocation information) is logged by carriers, and the police can access to the logs.

  4. Only for smartphone apps or teleconference systems (it requires cameras and a adversary should be in front of them).