 |
User account locking and temporary login suspension are two mechanisms employed to prevent identity theft via brute force attack.
Temporary Login Suspension
Temporary login suspension means that when a login attempt fails due to incorrect authentication credentials being used, the system will temporarily suspend that user's account for a brief period of time during which additional login attempts will be ignored. If login attempts fail repeatedly, the suspension period is increased each time until it reaches a maximum of 60 seconds.
Warning
It is possible to modify or disable the temporary login suspension using Security Configuration in Artifactory YAML settings. The loginBlockDelay setting can set to 0 to disable failed login suspensions, or the max amount of failed logins can be changed by increasing the max.incorrect.login.attempts value. For example, when using the max.incorrect.login.attempts=100 on a high availability cluster with 3 nodes, the first, second and third node will each accept 99 incorrect login attempts before there is a temporary login suspension.
User Account Locking
In addition to temporary login suspension, you can lock a user's account after a specified number of failed login attempts. This is enabled by selecting the "Lock User After Exceeding Max Failed Login Attempts" check box, and specifying the Max Failed Login Attempts field. Users who get locked out of their account because they have exceeded the maximum number of failed login attempts allowed (as specified in Max Failed Login Attempts) must have administrator access to unlock their account.
Unlocking User Accounts
An administrator can unlock all locked-out users by clicking Unlock All Users in the User Management | Settings page where user locking is configured. An administrator can also unlock a specific user or a group of users in User Management | Users.
 |
Through the REST API, an administrator can unlock a single user, a group of users, or all locked-out users at once.