Hybrid Client does not enforce auth lockout rules offline
Under Designer Studio>Org & Security>Authentication>Security Policies, user can define a lockout penalty mechanism which affects desktop clients.
The intent is that the same policies will be enforced in the hybrid client while offline. This prevents user from placing the device in airplane mode and then attempting to guess the password multiple times while offline.
One of the settings provides for a delay between authentication attempts after a certain number of failed logins.
That setting does not appear to be working.
Steps to Reproduce
1. Set the lockout penalty mechanism to Enabled, the number of failed attempts to five, and the lockout penalty to 30 seconds.
2. Build and install an offline-enabled iOS application.
3. Place the device in airplane mode and attempt to log in with a bad password more than five times.
4. Observe that the user is not subject to a delay in between subsequent login attempts.
A defect in Pegasystems’ code or rules.
Update to Pega 7.3.1 to resolve the issue.
0% found this useful