PingOne Recognize

Lockout policy

Users have a limited number of attempts to authorize access within a limited period of time. When authorization failures exceed this limit, PingOne Recognize blocks further authentication attempts for a period of time.

Three options control the limits and time periods involved.

Lockout settings and options

Lockout configurations

Description

Default (SaaS customers)

Max failed attempts

Number of authorization failures allowed before lockout.

5

Time window

The window of time (in seconds) where multiple authorization failures lead to lockout. Successful authentication resets this to zero.

600s (10 minutes)

Suspension period

Number of seconds the user must wait before next authorization attempt.

600s (10 minutes)

On-premises deployments can customize the defaults.

How it works

The lockout policy is applied for each user of a PingOne Recognize deployment, based on an internal user ID.

Lockouts apply across the deployment, which means that a user locked out by a Web SDK app is also locked out of apps using the Mobile SDK. Developers should track authentication errors and provide appropriate responses.

Failed authentications affect the entire deployment. Any successful authentication resets the failure count to zero (0).

The lockout policy cannot be disabled. You can set values that effectively allow unlimited failures. To learn more, contact Support.

Lockout policy application

The lockout policy applies only to authentication failures.

Because PingOne Recognize generates internal IDs only when authentication succeeds, the policy doesn’t apply to enrollment failures.

When users are suspended

When users are suspended, authorization attempts fail with USER_LOCKED_OUT errors.

When this happens:

  • The user must wait until the suspension period expires. PingOne Recognize cannot cancel or bypass the suspension.

  • Additional authentication failures do not affect an active suspension period.

  • During the suspension period, PingOne Recognize blocks biometric authentication for the user. PingOne Recognize doesn’t consume additional circuits during suspension.