AC-07 Unsuccessful Logon Attempts
a. Enforce a limit of ac-07_odp.01 consecutive invalid logon attempts by a user during a ac-07_odp.02 ; and
b. Automatically ac-07_odp.03 when the maximum number of unsuccessful attempts is exceeded.
| Parameter ID | Definition |
|---|---|
| ac-07_odp.01 | number |
| ac-07_odp.02 | time period |
| ac-07_odp.03 |
Selection (one-or-more):
|
| ac-07_odp.04 | time period |
| ac-07_odp.05 | delay algorithm |
| ac-07_odp.06 | action |
Baselines
- L
- M
- H
- P
Guidance
The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.
References 2
- SP 800-63-3 Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020.
- SP 800-124 Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.
Control Enhancements 4
- AC-07(01) Automatic Account Lock
- AC-07(02) Purge or Wipe Mobile Device L M H P
- AC-07(03) Biometric Attempt Limiting L M H P
- AC-07(04) Use of Alternate Authentication Factor L M H P
Related controls 5
- AC-02 Account Management L M H P
- AC-09 Previous Logon Notification L M H P
- AU-02 Event Logging L M H P
- AU-06 Audit Record Review, Analysis, and Reporting L M H P
- IA-05 Authenticator Management L M H P