VIP Manager - Help and Support - View Audit Reports

VIP Policy Configuration

You can set VIP to lock out an end user or credential if the end user enters too many invalid security codes or user PINs. If this policy is set to Credential, a credential in the locked state cannot be used to authenticate. If this policy is set to User, an end user in the locked state cannot be authenticated by any registered credential (including user PINs). If User is selected, you must also set the number of invalid authentication attempts before VIP locks the end user. For credentials, VIP uses the Maximum Validation Failure value configured in the Credential Security Settings, page for each credential type.

By default, a VIP administrator must manually unlock a user or credential:

	To unlock an end user, search for the end user as described in Finding a VIP End User and Associated Account Information, and click the lock icon below the user's name. Note that you can search for the end user by the locked status.
	To unlock a credential, search for the credential as described in Finding a Credential, click Edit Details > Edit, and set the new Credential State. Note that you can search for the credential by the locked status.

However, you can also set VIP to automatically unlock the end user or credential after a set time. If auto-unlock is enabled, the end user or credential is automatically unlocked the first time that the end user attempts to authenticate after the specified time elapses.

Note the following considerations:

	End users and credentials only become unlocked when the end user attempts to authenticate again after the specified lock period. As a result, end users and credentials appear as locked in VIP Manager searches and reports until the end user attempts to authenticate again, even if the specified lock period has elapsed.
	Because the unlock action is not initiated by an administrator, the action is not logged in VIP Manager audit reports.
	FIDO credentials do not lock automatically, so are not impacted by this policy.
	Push-enabled credentials that are locked due to too many invalid authentication attempts are included in this policy. However, the behavior of push-enabled credentials that are locked (throttled) due to too many unused push requests is unchanged. In these cases, the credential automatically unlocks after 60 minutes.

To set the end user Lockout Threshold policy:

	Select Policies in the navigation bar at the top of the page.
	Click the "Account" tab.
	Click the Edit link to configure the User and Credential Lockout policy settings.