Local user lockdown for 6 Password try fails for 30 minutes

Hello @czhang1970 

Thanks for proposing this enhancement

Could you please elaborate on what would be the business case to have such a lock mechanism added in the product?

Canadian Tire has such password policy for all the systems. e.g. We have VPN credential for each employee. If the error pwd is entered 3 times. We lockdown this account for 30 minutes. This will reduce the workload for helpdesk to unlock the account and protect the password being breached.

We would need the same functions provided by AEM for local accounts. The federated accounts are fine since the authentication will happen in CTC side.

Hello @czhang1970 

Thanks for the information provided

After information taken, having such a process in place could represent some security risk where accounts could be frozen using Denial Of Service

As you are mentioning that Federated accounts are fine, are you using AEM Cloud service?
In which case, the admin user password is generated during the environment creation, and having local users is not recommended, hence this should not be a problem here.

@czhang1970 Do you have more information to be shared? 

Hi @kautuk_sahni 

We still need to have several local accounts --

e.g. ctcadmin besides OOBT "admin" account, impoteraccount for service push data to authoring instance using basic authentication.

In this case, is this lockout feature is required for security enhancement. Is this feature request feasible? If yes, when will we expect it go with new SP?

Thanks

Charlie

Also, the authoring instances are protected by FW and not public facing, so don't expect Denial Of Service 

Hi @czhang1970 

Unfortunately as I mentioned in my previous comment, this request will not be considered by the engineering team due to the security concerns shared