The present disclosure relates generally to authentication systems. More specifically, the present disclosure relates to an adaptive strike count policy based on risk determination.
Typical authentication systems face significant challenge with attacks such as Dictionary attack and Brute-force attack, Guess Attack, etc., where an intruder, e.g., computer hacker, is attempting to guess somebody else's password. To mitigate such attacks, authentication systems implement a policy of placing a limit on the number of unsuccessful authentication attempts beyond which the account would get locked, and remain unusable until the account is reactivated. This is known as Strike Count Policy.
Once an account is locked, reactivation of the account would happen either automatically after certain period of time (e.g., 24 Hrs), or after completion of additional authentication. Regardless of the reactivation method employed, the conventional Strike Count Policy causes an inconvenience to the user of the account.
Moreover such policy would easily enable a computer hacker to launch Denial Of Service (DoS) attacks on the account. Merely by purposefully entering a threshold number of incorrect passwords, a computer hacker can prevent access to the account by its rightful owner, especially in the case where reactivation is based on an elapsed period of time.