How should a system unlock an account?

Question

Yeah funny title anyways after a user account in a system is locked out due to failed password attempts or failed password answer attempts How should the unlock process start.Which of the 3 below would you bank on and why? Currently following 1 and users hate the system some times :(

1. User's have to request a password reset as only way out.
2. User's can request a email to unlock account link - After successfully logging in with their old password( but primarily they landed here because they were unable to login doh)
3. I will leave this option for you to suggest.

The above might be dumbest options i got according to experts but i am here to learn. So show me the right path. Thanks SO

Answer 1

This is really going to depend on the system.

Forcing a password reset though isn't a good idea. Think of a situation with a malicious user, I can simply try to login to your account, lock you out, and then you have to reset to get in.

The most common scenario that I see is something like the way that ASP.NET handles it by default. You get X attempts to login, and then your account is locked for Y period of time.

So give them 10 tries, then lock the account for 10, 20, 30 minutes and let them back in.

Answer 2

Similar to number 2, you allow the user to request an email to unlock account, but don't require a password. You are relying on them knowing the password to their email address for security, instead of relying on them knowing the password to their account (which, as you state, is often not known).

Answer 3

I think it depends on the business case.

Is it a business application only accessable via intranet, maybe also via internet with https. In that case I would prefer a timeout until your users can login again. I think a log entry or/and a message for the admin wouldn't be the badest idea.

Or is it a consumer application accessable via internet where the user is unknown? In that case I would prefer the email.