CyberStore Documentation
Account Lockout for Repeated Login Failures
In This Topic

Prevent Username Enumeration through Reset Password Function Messaging (#12600)

When a shopper has forgotten their password, they may use the Forgot Password feature to request a verification code that will then allow them to securely create a new password. For improved account security, the system messaging displayed after submitting the email address of the shopper's account has been changed to be more generic in nature and thus not revealing whether an actual account with that email address exists. 

The new message will read as follows, "If the username exists, a message with further instructions has been sent to its associated email address."

 

Database and Object Architecture Updates for Account Login Failures (#12634)

 Business Logic and Process Changes to Login for Account Login Failures (#12635)

Front end accounts can now bet set to be locked for 15 minutes after 3 unsucessful login attempts. Both the amount of time locked and the amount of login attempts before being locked can be changed in the Site Manager settings. What these settings look like and where to change them are present below.

CONSOLE: Site Manager and Account Maintenance Updates for Account Login Failures (#12636)

Updated Site manager>Catalog Configuration page:

Updated Customers>Account Maintenance page:

CONSOLE: User Manager Updates for Console User Account Lockout (#13367)

The Tools > User and Group Administration > User Administration screen has been modified to allow console user to review the lock status of a fellow console user as well as manage the status and lockout period time. 

Business Logic Changes to Handle Lockout of Console Users (#13382)

 

The Management Console's authentication engine has been updated to include functionality that will lock a user's account after repeated invalid consecutive logins.

Should a user's password be entered incorrectly 3 times in a row, the user will be locked and unable to login for a 15 minute period. After the lockout period has expired a successful login will allow the user console access. Additionally, after the lockout period, the counter for invalid logins starts over again and only after three more successive incorrect passwords with the user be again locked out. 

Console users with access to user management can both lock and unlock user accounts by editing their user settings. Additionally, the console screen allows for setting any lockout period desired by setting a specified lockout time. 

See Also

Version 2.19 Maintenance Releases

User & Group Administration