User lockout for the website is built into Identity Server and is enabled by default. When enabled, users who make 5 sequential failed login attempts will be locked out for a period of 5 minutes. After the five minute period has expired, the user has 5 more attempts to login. If those fail, the user will be locked out for an additional 5 minutes. This cycle repeats indefinitely until a successful login is made.
The Settings to enable/disable or modify the user lockout specifics can be found in the Admin Console > Administration >System >Settings and then search for "lockout":
The following three settings are available:
- Lockout Enabled. Determines if a user can be locked out for failing to log in successfully Default value: Yes
- Max Failed Attempts Before Lockout. Determines how many unsuccessful sign-in attempts are allowed before a user is locked out. Default value: 5
- Lockout Time in Minutes. Determines how many minutes a user will be locked out for. Default value: 5
PA-DSS requires a timeout of 15 minutes or less. So, if the website accepts credit card transactions, this should not be overridden.
Changing the configuration or attempting to override the Admin Console timeout period of 15 minutes is not permitted.