Leap lockouts due to incorrect password entry should have a unique error message
We had a front-line staff member contact us because he was getting a "The domain, username or password is incorrect" error message when he tried to log in to Leap. Support was able to tell us that he was locked out because he had incorrectly typed his password five times. They confirmed that the error message that will be shown when this happens is "The domain, username or password is incorrect." Not only is that error message text factually untrue, it is identical to the error message that a staff person sees if their password actually IS being entered incorrectly. It encourages them to keep trying to log in instead of waiting for the end of the 30-minute lockout period, and might even lead to additional lockouts.
Since Support confirmed they can distinguish these two cases, a separate error message should be created for lockouts. "An incorrect password has been entered for this account five times. The account is now locked for 30 minutes." Something like that.
Emma Olmstead-Rumsey
shared this idea
-
Eleanor
commented
I'd like to second this, and also thank Emma for making this post and bringing the situation to my attention months ago. I frequently run into this issue when resetting passwords. Attempting to log the staff member in on the client will return an error message that explains they are locked out, but logging in on Leap (which is what most libraries in our consortium use) will give this inaccurate "incorrect password" message that wrongly gives both of us the impression that the password reset didn't take.
(We are also using standard authentication and not OAUTH.)
-
Emma Olmstead-Rumsey
commented
Hi Sam, we are using standard authentication, not OAUTH. Thanks for looking at this.
-
AdminSamantha Quell
(Admin, Innovative)
commented
Emma - Can you clarify if you're using Leap with the standard authentication method or the OAUTH authenitcation method? This may impact the error data available to Leap.