Mitigation-page

MID-046: Authentication Attempts Timeouts and Lockouts

Mitigation Tier: Foundational

Description

Implementing a lockout or delay after a certain number of incorrect guesses increases the time it would take threat actors successfully guess a password.

Progressively increasing lockouts are a common implementation pattern. For example, a device may institute a 1-minute lockout after 5 wrong guesses, 3-minute lockout after 10 wrong guesses, 30-minute lockout after 20 wrong guesses, and so on. The threat actor therefore has to wait 34 minutes just to guess 20 passwords, while legitimate users that mistype their password once or twice are minimally impacted.

Depending on the environment, lockouts can also be used. A lockout would instead lock the device so that no more authentication attempts can be made after a certain amount of password attempts were performed. Lockouts present risks to the device because devices will be unusable until the lockout is lifted, meaning that a denial-of-service-type effect is possible. This lockout can be lifted either through some authenticated administrative process and/or by requiring physical presence on the device (see MID-031 - Physical Presence Validation for more information).

IEC 62443 4-2 Mappings

  • CR 1.11 - Unsuccessful login attempts 

  • CR 2.5 - Session lock 

References