Recording login attempts

Login attempts are recorded by the username entered. This means that the username "mickey.mouse" can be locked. This is by design so that a malicious user cannot determine a valid username by interpreting the response from the server.

Should the username being entered match a valid user, then the login attempt is associated to the application user record. The date, time, and IP address of the person attempting to log in is also recorded.

Blocking and locking and unlocking

After 3 unsuccessful login attempts, the account is blocked from trying to log in for 10 minutes. After 6 unsuccessful login attempts, the account is blocked for 30 minutes. After 10 login attempts, the account is locked and must be unlocked by the user or by an administrator. Login attempts persist across all applications.

If a user successfully logs in, their login attempt counter is reset.

A user can unlock their own account using the "unlock account" process available in Homeroom, Admin, and V2 applications. This process will send an email to users with a link that will unlock their account.

Once the users account is unlocked, the process above restarts. A user is allowed to unlock their account as many times as needed.

A password reset will also unlock the users account.

Note: Alternate authentication districts will not have this feature

updated: 5/3/17 brit