Q. Can EFT show an “Account locked banner” to a user if their authentication failed after multiple invalid login attempts?
A. The short answer is no. EFT is a high-security MFT server often deployed in banking, commercial, and governmental environments with stringent security controls. EFT follows OAWSP best practices by always returning a generic failure message, regardless of the login failure reason. This is to help mitigate account enumeration techniques used by potential attackers.
To improve the user experience of legitimate users who might have simply mistyped their password, you can increase EFT’s default “N” values in the Login Security Options dialog box. Setting a reasonable range would greatly reduce the chance that a valid user would have their account temporarily locked due to invalid login attempts, while ensuring an appropriate outcome upon many repeated failed attempts to gain access by malicious users.
- The default lockout period is 30 minutes.
- The default number of invalid (bad password) login attempts is 6.
- The default period to count the invalid login attempts is 5 minutes.
That is, if you have 6 invalid attempts within a 5 minute period, the account will be locked out for 30 minutes. Or the administrator can unlock it.