Contact locked out account - need to be able to unlock

I am also having this issue. I was testing the v2 API with a bad password (I hadn't noticed, my mistake), and locked myself out. It would have helped if the API had returned a 401 or at least a 403 status code, rather than returning 404 - I would have noticed a bit sooner.

Is there a way for another admin to override an account lockout yet?

Hi All,

If a Freshdesk contact looses their password, then they can based on the helpdesk setting reset their own password as described in this solution article link.

The admin can also reset the password of an agent too in the same way as described in the above article. In case of an agent, a password reset link would be sent to the agent email address.

The lockout option safeguards a Freshdesk account, when multiple failed logins are observed. This helps keep unauthorised people from gaining access to the Freshdesk account.

Thanks,

Priyo,

Product Management, Freshdesk

Hi Priyo -- when an agent's password is reset (by the admin or the agent themselves) the lockout is not lifted.  It should either be removed automatically or there should be an option for the admin to do so.  Having a support agent twiddle their thumbs for two hours waiting for an account to unlock is a waste.

Thanks,

Jason

Yes.  Please look into this.  This has occurred on our site as well.  One user was unable to get into FreshDesk for sometime.  We followed all of the suggestions from FreshDesk support and nothing resolved the issue until FreshDesk did something "magical" in the background.  We felt rather helpless on this one.

I second Jason's suggestion. I just  came back from vacation and locked myself up and no-one can unlock me... We need at least the lock to be released when password is legitimately changed and/or re-settabled by an Administrator.

Same problem here. 2 hours is amazing long when compared to other systems which allow financial transactions to be made.

Just kicked admin account out of business for 2 hours when trying to get API running and now need to reschedule project start.

Workaround for next time is to create accounts for testing purposes, but I think 2 hours should be reduced to 5 minutes or alike, just as with banks and other ERP products.

@Priyo Did you already include this in the weekly sprint? There still doesn't seem an option to unlock.

Hello All,

Thanks for letting us know about this issue. We are looking into how to improve the user experience here, definitely think there is an opportunity for us to make the UI more intuitive. 

I will post back on an ETA once we have some more clarity. 

Thanks for your patience!

Sudha

Hello all,

While evaluating the lockout period, it is in line with our security practices to "lockout" an account for 2 hours after 10 failed login attempts.

Upon further analysis of the user experience here, I found that the main issue with failed login attempts was that the user is not encouraged to reset their password. So we have made a UI change to highlight that option better when there is a failed login attempt.

This change has been deployed last week is now live. 

Thanks again for your feedback!

Sudha

@Sudha

Sorry, but that doesn't sound as a real solution to me. An administrator should be able to restore access, for no matter what reason logging in failed.

Hi Sudha

Great, but how will that help API users that don't use the UI?

Patrick, I agree with you.  In our situation, the user account didn't unlock even after 2 hours and changing passwords as suggested.  There was no way for us to remove the lock.  We had to put in a ticket to FreshDesk to get this account fixed.

Joakim, agreed that the solution above doesn't handle the API use case. I will put that request on the backlog, however, that is not a very common scenario that we have received requests for. 

Paula, sounds like you might have run into a bug if the account didn't get unlocked after 2 hours. I will ask our team to investigate this.

Patrick, agreed that its not a complete solution that we have provided here. What you are asking for is a feature request, where the admin can unlock the account of an agent and I will add it to our backlog.

Thanks,
Sudha

Sudha, 

Two comments in this forum thread has addressed the API problem, so I'm guessing its not that unusual.

But it's great that things move forward!

This does not make any sense.

I have an agent that accidentally locked himself out and now he can't work for the next 2 hours?   Ridiculous.  

Has this been resolved? We use this for a telemedicine training and there is a DR. locked out. I need this fixed. I as the admin should be able to override a lock due to failed password attempts. 

I have the same issue. Admins should be able to override the lockout. When will this be addressed? 

Please provide an update on when we can expect this feature to be added - admin users should be able to override the lockout.

I would like to add my agreement to the other comments here about it being unacceptable for a technician to be locked out of their account for two hours without the administrator having any ability to override the lockout.  In addition, locking the user out for two hours seems extremely excessive.  If the purpose of this security control is to prevent account brute force attacks, then a 15 minute lockout is more than sufficient.  It would also be a good idea to add a CAPTCHA after the first failed logout to prevent most machine automation.

This has happened to one of my agents - I add my voice to those who would like the ability to unlock an account as an admin.  It is not acceptable to have to have an agent just sit and wait 2 hours!!  Some of our SLA's are for 30 minute or 1 hour responses.