User Lock and Login Suspension

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

User account locking and temporary login suspension are two independent mechanisms employed to prevent identity theft via brute force attack.

Temporary Login Suspension

Temporary login suspension means that when a login attempt fails due to incorrect authentication credentials being used, the system will temporarily suspend (with a 403 HTTP status code) that user's account for a brief period of time during which additional login attempts will be ignored. If login attempts fail repeatedly, the suspension period is increased each time until it reaches a maximum of 60 seconds.

From Artifactory version 7.90, It is possible to modify or disable the temporary login suspension within the UI.

It is possible to configure login suspension using the Access YAML Configuration using the security.user-lock-policy.max-login-delay-incorrect-attempts setting and the security.user-lock-policy.Max-login-delay-millis setting.Access YAML Configuration

Note

During an upgarde to Artifactory 7.90 or higher a one time convertor will run. If you configured the artifactory.max.incorrect.login.attempts or artifactory.security.maxLoginBlockDelay settings in the Artifactory System Properties, they will be migrated to the Access service and the properties can be removed from the Artifactory System Properties .

Warning

On a high availability cluster, the suspension mechanism is applied for each node separately. For example, when using the max.incorrect.login.attempts is 100 on a high availability cluster with 3 nodes, the first, second and third node will each accept 99 incorrect login attempts before there is a temporary login suspension.

User Account Locking

In addition to temporary login suspension, you can lock a user's account after a specified number of failed login attempts. This is enabled by selecting the Lock User After Exceeding Max Failed Login Attempts check box, and adding a value to the Max Failed Login Attempts field. Users who get locked out of their account because they have exceeded the maximum number of failed login attempts allowed (as specified in Max Failed Login Attempts) must have administrator access to unlock their account.

user_locking.png
Unlocking User Accounts

An administrator can unlock all locked-out users by clicking Unlock All Users in the User Management | Settings page where user locking is configured. An administrator can also unlock a specific user or a group of users in User Management | Users.

users_list.png

Through the REST API, an administrator can unlock a single user, a group of users, or all locked-out users at once.Unlock UserUnlock Locked-Out UsersUnlock All Locked Out Users