Too many failed attempts to log in to a user account could be a security risk. Administrators can decide when Blackboard Learn locks user accounts to protect them from unauthorized access. In the Administrator Panel, in the Security section, select Account Lock Settings.
Select Account Lock Settings
The following table describes the available fields. [r] indicates a required field.
FIELD | DESCRIPTION |
---|---|
Enable Account Locking | |
Lock accounts after failed logins | Select the radio button to Enable or Disable account lockout. By default, lockout is enabled. |
Account Lock Settings | |
Maximum Login Attempts [r] | Provide the maximum number of incorrect login attempts a user is allowed before their account is locked. The default maximum is 5. Attempts reset after the Account Lock Period expires. |
Login Period [r] | Provide the number of seconds during which a user can try to log in, up to their Maximum Login Attempts. The default setting is 300 seconds. If a user doesn’t successfully log in during this period, their account is locked. |
Account Lock Period [r] | Provide the number of minutes a user’s account remains locked. The default setting is 360 minutes. If you enter 0, accounts will remain permanently locked unless an administrator manually unlocks them. |
Unlock upon password reset | If Enable is selected, users can reset their passwords to unlock their accounts. If Disable is selected, users can wait for the Account Lock Period to expire or administrators can unlock accounts. |
Active Session Termination | |
Forced Expiry [r] | When enabled, users will automatically be logged out of the system after the maximum number of hours. |
Maximum Session Age | Maximum amount of time a user session can be active. |
Inactive Session Timeout | |
Maximum Inactivity [r] | The maximum amount of time a user session can be inactive before being automatically logged out. The maximum amount of time for an inactive session must be set between 15-480 minutes. |
Mobile App Token Timeout | |
Maximum Token Lifetime [r] | Mobile sessions are controlled via an authentication token. This allows the app to automatically renew a session without re-authentication, as long as the token hasn't expired. Define the maximum length of time of a mobile app user's session before it is auto renewed. The default state for the mobile token lifetime is 336 hours (about two weeks). The life can be set to values from 1 to 336 hours. For security certifications, select Use same value as Inactive Session Timeout to expire sessions in the same timeframe, independently of the type of device users use to login. In this scenario, the following values should be used for the Inactive Session Timeout: FedRAMP Moderate: 30 minutes; IL4: 25 minutes. |
Concurrent Session Control | |
Concurrent Sessions [r] | The number of active sessions a user may have at one time across all authentication types, including mobile apps. Options are 1, 2, 3, or unlimited. |