Unlocking user accounts
The accounts of administration interface users can be locked for one of the following reasons:
- The user’s password expires.
- The user reaches the limit of invalid sign-in attempts.
The following text describes how you can provide users with means to unlock their accounts.
Password expired
When an account is locked due to password expiration, the system asks the user to change their password in order to unlock the account. You can find more information in Password expiration.
Alternatively, administrators can extend the password’s validity.
Invalid sign-in attempts exceeded
When an account is locked due to an exceeded number of invalid sign-in attempts, administrators can reset the invalid sign-in attempt counter manually:
- Open the Users application.
- Edit the given user.
- Click Reset next to the Invalid sign-in attempts field.
To allow users to unlock their own accounts, you need to utilize unlock emails. You can set up the following options via the settings in Settings -> Security & Membership -> Protection:
Automatic email notification when the sign-in attempt limit is exceeded – enable the Send unlock account email setting.
Messages that inform about locked accounts during sign-in and allow users to request an unlock email – enable the Display account lock information message setting.
Note: Displaying account lock information on sign-in is not recommended, because it can inform potential attackers that a user account with a given username exists and is locked.
The content of the emails is based on the Membership - User account locked email template. The template must contain a link to an account unlock page – to generate a valid URL of the unlock page for the email’s recipient, use the {% UnlockAccountUrl %} macro.