Lockout Policy

v5.0.0 and Above

From SDK version 5.0.0 onward, the lockout policy is configured on the server side and errors count towards the policy regardless of whether they occur on the client or server side.

If you have questions or want to request policy changes, contact the PingOne Recognize team.

v4.8.2 and Below

PingOne Recognize has both client-side (specific device) and server-side (all users/devices) lockout policies to help prevent brute-force attacks.

Client-side lockout is configurable in the SDK and determines how many failed login attempts (lockoutAttemptsThreshold) are allowed over a set time period (lockoutAttemptsResetAfter) before the user is locked out for lockoutDuration on that device.

lockoutDuration must be greater than or equal to lockoutAttemptsResetAfter so it is not reset by lockoutAttemptsResetAfter.

lockoutDuration: Long,                // seconds - default 300
lockoutAttemptsResetAfter: Long,      // seconds - default 180
lockoutAttemptsThreshold: Int         // number  - default 5

Server-side lockout works similarly, except it applies to all authentication devices for a specific user and is configured to lock a user out for 10 minutes after 5 failed attempts. A successful login resets the failed-attempt count to zero.

Lockout Options and Defaults

When a user exceeds a maximum number of failed attempts within a specified time window, they are locked out for the defined suspension period. This behavior is controlled by three settings:

Lockout configuration	Description	Defaults (SaaS customers)
Max failed attempts	How many failed authentications a user is allowed before being locked out for the defined suspension period.	5
Time window	The period in which failed authentication attempts are counted. Any successful authentication resets this count to zero.	600 (10 minutes)
Suspension period	How long the account is suspended when max failed attempts are exceeded during the time window (in seconds).	600 (10 minutes)

Lockout configuration

Description

Defaults (SaaS customers)

Max failed attempts

How many failed authentications a user is allowed before being locked out for the defined suspension period.

Time window

The period in which failed authentication attempts are counted. Any successful authentication resets this count to zero.

600 (10 minutes)

Suspension period

How long the account is suspended when max failed attempts are exceeded during the time window (in seconds).

600 (10 minutes)

How It Works

The policy is applied per PingOne Recognize instance, per PingOne Recognize ID (single user).
If you use component interoperability (users authenticating on both Web and Mobile), errors and lockouts apply to both Web and Mobile.
Failed authentications are counted across the configured time window. Any successful authentication before reaching threshold resets failed attempts to zero.
The lockout policy cannot be disabled. For less restrictive behavior, increase max failed attempts and/or reduce time-window sensitivity.
To change settings, contact a PingOne Recognize team member or support@keyless.io.

When the Lockout Policy Applies

Lockout policy applies to Authentication flows, not enrollment flows.
From SDK v5.3.x and above, lockout policy also applies to Account Recovery using Enroll from Client State.
For enrollment failures, lockout cannot be applied because no PingOne Recognize ID is generated.

If a User Is Locked Out

Any authentication attempt for that PingOne Recognize ID returns 30007 (User Lockout).
Users must wait for lockout duration to expire; there is no bypass.
If a user attempts authentication while locked out, the time window does not reset.
During lockout, biometric authentication is not attempted and circuits are not consumed.