Question
Pegasystems Inc.
JP
Last activity: 25 Jan 2017 5:46 EST
How to revoke login password of an Operator if failed login attempts exceed a given threshold value
We have a requirement that states "the login password of an Operator should be revoke if failed login attempts exceed a given threshold value".
If we enable the security policy OOTB feature of "Enable authentication lockout penalty mechanism", it only introduces a delay but doesn't revoke the password.
-
Like (0)
-
Share this page Facebook Twitter LinkedIn Email Copying... Copied!
Accepted Solution
Updated: 23 Dec 2015 1:08 EST
Pegasystems Inc.
JP
HFIX-25414 is provided from product team for PRPC v7.1.9.
Pegasystems
IN
Please refer to this PDN document on security policy. This contains the number of tries before the operator gets locked out - https://pdn.pega.com/security/how-to-configure-login-security-and-password-policies
Pegasystems Inc.
JP
Hi Rajiv,
We have tried the security policy settings described on the article you suggested, however "lock out" only introduces a time delay, it didn't revoke the operator's password. Which means you can wait until the lock out penalty period ends, and then login again with the old password.
Pegasystems Inc.
US
Chunzhi,
The lack of a policy option to lockout an account after a certain number of failed attempts until an administrator manually unlocks it is surprising. I see this approach in practice more than I see the cooling off period option that is currently available. I would encourage you to submit an enhancement request for it in ML10 since account lockout, in my experience, is standard functionality in most authentication systems.
Matt
Pegasystems Inc.
JP
Pegasystems Inc.
IN
Hi Chunzhi, Good Morning!
- maybe after certain number of failure attempts,
- we've to update the property 'pyPwdCurrent' of Operator ID by doing an Obj-Open/By-Handle to a known value of administrator.
- the activity Data-Portal.ShowDeskTop will be updated/customized...
- to find the failure attempts
- if it is over (a value defined via DSS)
- update property 'pyPwdCurrent'
- if it is over (a value defined via DSS)
- to find the failure attempts
Please share your comments/thoughts, Thank you!
psahukaru
Pegasystems Inc.
JP
My feeling is, it should be handled by PRServlet, which performs authentication.
I dont think there is any way that we can find the number of failed login attempts at the moment showdesktop activity get executed,
since the activity will be executed only after successful authentication, and once a user successfully log in to the system, the failure count for previous login attempts should have been cleared up.
Pegasystems Inc.
IN
Hi Chunzhi, Good Morning!
not sure if this is a clean approach, but please find below steps to restrict user in logging into application if maximum allowed failure attempt limit is reached....
Created an activity to get the count of login failure attempts...
the list view 'ListofLoginFailures' is overridden in application layer with operator ID as parameter.
read the failure count into a parameter
Created a wrapper activity to OOTB Data-Portal.ShowDesktop with a precondition (Param.Count > 3: read from DSS rule)
Configured wrapper activity at Operator ID rule form under security tab.
Hi Chunzhi, Good Morning!
not sure if this is a clean approach, but please find below steps to restrict user in logging into application if maximum allowed failure attempt limit is reached....
Created an activity to get the count of login failure attempts...
the list view 'ListofLoginFailures' is overridden in application layer with operator ID as parameter.
read the failure count into a parameter
Created a wrapper activity to OOTB Data-Portal.ShowDesktop with a precondition (Param.Count > 3: read from DSS rule)
Configured wrapper activity at Operator ID rule form under security tab.
When the precondition is met (i.e., login failure max count is met), below is the HTML screen presented to user...
Please share your thoughts/comments, Thank you!
psahukaru
P.S: the steps would still needs a code refinement.
Cognizant Technolgy Solutions
IN
Hi Phani,
Please correct if my understanding is correct -
Since we are caling ShowDesktop[or its customized version], this code will get called only after succesful authentication. Thus even if we are able to check for count of failure attems inside this activity, this check will only be executed once the user provides correct password.
So, my understanding is, if we use this activity to check for failure attempts, that wont execute before the user provides valid credentials. Instead, I would go for a different approach.
Please provide your inputs on whether I am reading it right.
Thanks,
Arka
Accepted Solution
Updated: 23 Dec 2015 1:08 EST
Pegasystems Inc.
JP
HFIX-25414 is provided from product team for PRPC v7.1.9.
Cognizant Technolgy Solutions
IN
Hi,
Is there a way we can enable this feature for one particular Access- Group. Also we need to modify the password construction criteria - any help is appreciated!