Should a user be able unlock his own account after being automatically locked out?

Question

Should a user be able to unlock his own account after being locked out?

Typically there are requirements that specify that users are to be automatically locked out:

1. The user's account should be locked after too many failed password attempts
2. The user's account should be locked out after 90 days of inactivity.

The question is, once an account has been automatically locked out, should the user be able to unlock their own account (via a password reset mechanism or security questions), or is it more secure to involve a system administrator to unlock the account?

Answer 1

As security practitioner (CISSP) we always have to fight with/work with/debate with the organization between the balance of confidentially and availability.

Therefore, in my environment we allow users to unlock their account if they provide sensitive information that an hacker should not know. It just created another step for hackers and to allow legitimate users to get back to work.

If you are looking for the most secure possibility, of course it would require a human to look at logs and manually unlock the account.

Depends on your environments needs, how many users, and how much overhead you can afford to invest in these tasks.

Best of luck, I'm available for additional questions.

Answer 2

Yes, he should be able to unlock himself, preferably through a separate channel (mail, SMS, whatever).

Otherwise, see Can a malicious actor lock the real user out by deliberately trying incorrect passwords every X minutes?

To involve a system administrator might be possible if you have very few users or need military grade security. Otherwise, the overhead is going to be massive and unpleasant.

Answer 3

There is no one "best" solution which would fit for every system. But I agree with Kamic - it's matter of balance.

I'd like to point to one weakness here. If you're going most secure way, you actually can make you system less secure.

"Very secure" system

You are paranoid, you lock users for 3 wrong password attempts and ask them to come to office with paper documents, do DNA analysis and unlock only after this reliable procedure. Impossible to hack it!

Yes, unlocking is hard and 'expensive', it takes time, but it's very rare situation and unlock 1-2 users in a week is not a problem neither for you nor for users.

Hacking "very secure" system

What if attacked will write simple script which will do N wrong password tries for every known username, and run it for few hours? Your system is successfully DoSed! You have thousands of users, but all of them are locked, then can not reach system, your phone is ringing all the time, useres are angry, users are taking losses. Just this situation alone is terrible and worth to avoid any protection mechanism which can lead to such failure. You protected confidentiality, but paid for it with availability.

But things can go even worse. Now in such extreme situation, you understand you cannot 'manually' unlock all users. (invite them to your room, check ID...) And you have to change rules and unlock them by unverified phone call "you tel me your name is john doe? okay, I'm unlocking your accoung, your password is 123456, please change it after login". Now you gave attacker valid password over phone call.

In this case it would be much better if each user would be locked just for 1 hour for N wrong passwords attempts. This is enough to stop bruteforcing (doesn't really matter, if password guessing would take 100 years or 100 billion years), and will not be problem if attacker will try to abuse this mechanism.

Right way

For each situation you should consider different attack scenarios and ways to fight with it. If user can easily unlock itself, it's fast and free (doesn't cost even a minute of time) - then hard locking (no auto-unlock) is fine too.

You should consider losses for each way (how much you will lose if attacker will bruteforce password for 1-2 accounts? how much will you lose if attacker will lock 100% of accounts?), how hard this for attacker and chances of each kind of attack.

Right way in each situation depends on many things like number of users, how secret is usernames (or everyone knows user names of all users, like 'cat /etc/passwd' on unix), how hard is to get access to system (it's public website, or only 10 employees can reach this intranet site), how anonymous is attacker, and so on.

(Sorry for bad english.)