(a) Allow the use of ac-07.04_odp.01 that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and
(b) Enforce a limit of ac-07.04_odp.02 consecutive invalid logon attempts through use of the alternative factors by a user during a ac-07.04_odp.03.
The use of alternate authentication factors supports the objective of availability and allows a user who has inadvertently been locked out to use additional authentication factors to bypass the lockout.