Should a user be able to unlock his own account after being locked out? Typicall

Question

Should a user be able to unlock his own account after being locked out?

Typically there are requirements that specify that users are to be automatically locked out:

1. The user's account should be locked after too many failed password attempts
2. The user's account should be locked out after 90 days of inactivity.

The question is, once an account has been automatically locked out, should the user be able to unlock their own account (via a password reset mechanism or security questions), or is it more secure to involve a system administrator to unlock the account?

Explanation / Answer

As security practitioner (CISSP) we always have to fight with/work with/debate with the organization between the balance of confidentially and availability.

Therefore, in my environment we allow users to unlock their account if they provide sensitive information that an hacker should not know. It just created another step for hackers and to allow legitimate users to get back to work.

If you are looking for the most secure possibility, of course it would require a human to look at logs and manually unlock the account.

Depends on your environments needs, how many users, and how much overhead you can afford to invest in these tasks.

Best of luck, I'm available for additional questions.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.