Generally, companies employ authentication to control access to protected resources. For example, a company may require its employees to successfully authenticate using one-time use passcodes (OTPs) from authentication tokens before allowing its employees to access the company's virtual private network (VPN), the company's file server, the company's employee database, and so on. If an employee is able to provide a OTP which is valid (i.e., a correct OTP which is current) within a certain number of tries (i.e., without exceeding a lockout limit), authentication is considered successful and the company's authentication server allows the employee to access the protected resources. However, if the OTP is invalid (e.g., incorrect, too old, etc.) or if the employee exceeds the lockout limit (e.g., too many failed authentication attempts within a set window of time), authentication is considered unsuccessful and the authentication server denies access to the company's protected resources.
It should be understood that different companies may perform employee authentication in different ways. For example, Company A may require its employees to authenticate using six-digit OTPs and lockout an employee if the employee fails three authentication attempts within a five minute span. Similarly, Company B may require its employees to authenticate using eight-digit OTPs but lockout an employee if the employee fails five authentication attempts within a 10 minute span.
As another example, Company C may require its employees to authenticate using fingerprint recognition via Identity Provider X (i.e., a trusted third-party which provides an authentication service). However, Company D may require its employees to authenticate using fingerprint recognition via Identity Provider Y rather than Identity Provider X, and so on.