In general, which is supposed to be more secure solution, lockout penalty or account lock?
As far as I know, most of software I know of has account lock function, but I have never seen “penalty” solution except for Pega. I feel it is kind of unusual solution because it does not really “lock” it, but will be recovered by itself just by waiting a certain amount of time (8 sec => 16 sec => 32 sec => 64 sec…). Is this more modern solution? Does this have anything to do with brute force attack? If anyone knows the background of why this solution was introduced in Pega Platform, please explain.
This is not a unique feature in just Pega. In iPhones if you put in the wrong passcode multiple number of times, it will add penalty time before which you can login with the correct passcode.
As per Pega: “Enable the lockout penalty, set the number of failed login attempts that triggers the penalty to 5, and set the initial penalty to 10. When an automated tool (or a human) tries to log in with a user name and a random password, and fails, the system notes the failure. When the automated tool tries and fails again, the system increments the failure count. If the automated tool tries five times, the system notes that it has reached the penalty threshold and imposes the initial delay of 10 seconds before the login screen becomes available again. When the automated tool tries and fails again, the delay increases to 20 seconds (the initial delay of 10 seconds plus the penalty). When the automated tool tries and fails again, the delay increases to 30 seconds (the initial delay, plus the first penalty and the second penalty), and continues in a similar manner.”
To prevent brute force attacks, Pega suggest that we enforce account lockouts after repeated failed attempts by an operator. Coming back to your question which is more secure, there is no straight forward answer. It depends on the scenario.
If you implement Account lock then you can unlock either automatically after a certain time period without resetting the operator’s password. You can specify the time period for which the account needs to be locked in the Password lockout duration policy. Until the specified time period expires after the lockout, additional attempts are not allowed. After the lockout period expires, users can log in with valid credentials.
You can unlock the account manually, which requires you to reset the password. To activate this method, set the Password lockout duration policy to zero.