In many instances, computer systems require end users to be authenticated for security reasons. For example, authenticated or legitimate end users may interact, operate, or perform the provided functions of the computer systems. Authentication of end users can include verifying a digital identity representing a real-life end user on the basis of certain authentication data or “credentials,” for example, a combination of user name and password, visual cues (e.g., retina scans), biometric data (e.g., fingerprints), and others, as proof for the real-life end user's identity.
In some situations, certain human interactors (e.g., users or clients that can interact with the computer systems) or automated interactors (e.g., password-cracking computer programs) may attempt to use some computer systems of which they do not have a valid authentication credential. These interactors may misuse authentication procedures to become associated with a legitimate user's identity in the computer systems. For example, upon an authentication attempt, a computer system may experience that the credentials input do not satisfy the criteria for successful authentication. This may be for different reasons. For example, when a legitimate user attempts to be authenticated, errors can occur during data input (e.g., mistyping a password) or during sampling (e.g., during biometric data collection, such as scanning a fingerprint). When an illegitimate user attempts to be authenticated, errors can occur when wrong passwords are used and multiple trials of data input based on guessing or partial knowledge is provided (e.g., forged authentication data generated using manual input or automated tools). In many instances, computer systems are not capable of distinguishing between an error created by a legitimate user mistyping the authentication credentials and an error created by an illegitimate user forging authentication credentials using trial-and-error.
Some computer systems use a lockout period between authentication attempts, for example, creating a delay between a failed attempt and the next attempt. In some implementations, the computer systems may be configured to increase the lockout period after each failed attempt, as to deter illegitimate user's guessing strategy. A further measure may take the lockout period to an infinite time period (i.e., locking the digital identity permanently) and only allow a highly privileged and legitimate user (e.g., an administrator) to reset the lockout period of the locked digital identity. However, this defensive mechanism may be employed by an illegitimate user to maliciously tamper with the computer systems such that normal legitimate users are prohibited from authentication when the digital identity is permanently locked, at least before intervention by a highly privileged user/administrator to reset the lockout period. For example, an illegitimate user may constantly input authentication attempts, causing the computer system to permanently lock the associated digital identity.