[FEATURE-1570] User lockout feature

We’re running Ignition 8.0.6. Users login to our Perspective projects through the built-in ID provider referencing back to a manual-mode user DB.

One of our employees couldn’t login. He then asked an admin to reset his password, who did, but he was still unable to login.

I came by 20+ minutes later and reset the password and he was able to login just fine.

Looking back through the server log, I see lines like this around the time of his original login and the attempts just after the admin reset it:

INFO   | jvm 1    | 2019/12/03 17:28:00 | I [U.DB_ManualMode               ] [17:28:00]: User 'xxx' is now locked out route-group=authn, route-path=/submit-username-password-challenge/:client-id
INFO   | jvm 1    | 2019/12/03 17:31:53 | I [U.DB_ManualMode               ] [17:31:53]: User 'xxx' is locked out route-group=authn, route-path=/submit-username-password-challenge/:client-id
INFO   | jvm 1    | 2019/12/03 17:33:08 | I [U.DB_ManualMode               ] [17:33:08]: User 'xxx' is locked out route-group=authn, route-path=/submit-username-password-challenge/:client-id
INFO   | jvm 1    | 2019/12/03 17:34:11 | I [U.DB_ManualMode               ] [17:34:11]: User 'xxx' is locked out route-group=authn, route-path=/submit-username-password-challenge/:client-id

I found the lockout settings on the user DB page, and assume that must be what was going on. I’ve searched the manual and forums for more details on the lockout feature, but I’m not finding anything.

Is there anything an admin could have done to reset the lockout period and allow him to login sooner?

Hi @justin.brzozoski -

The only way to immediately clear the lockout is to disable lockout on a user source profile and save. You can then immediately re-enable the lockout and save (if you wish to keep it enabled). This clears all current lockouts for all users for the user source profile.

There should be an entry in the audit log for a user lockout event. As of 8.1.0 there isn’t.

I added a ticket for auditing the moment a user becomes locked out.

There is no feedback to the user that login failures are due to a locked account. This is a poor UX. Can we add another feature to the backlog to fix that?

This is security, which I’ll grant you can be interpreted as poor UX. Leaking information about why a login attempt fails is bad practice.

3 Likes