To help ensure the security of our clients’ sites, accounts, and content, Shotgun has a policy for the scenario where a User tries and fails to log in to a site too many times. After 10 unsuccessful login attempts, the User’s account will be locked for an hour.
Helping Locked Out Users
In the unfortunate event that a User gets locked out of Shotgun because there were too many failed login attempts, you can reset the account to unblock him/her, even if it's within the hour.
When a User on your site gets locked out from too many failed login attempts, Shotgun will send Admins a notification email to facilitate getting that User unblocked and to increase awareness in case it’s a security issue that needs investigating.
These emails are driven by the Subscribe to all Security emails field on the HumanUser entity, consistent with all of the other email subscription settings. By default, anyone in the Admin permission group should have these emails on, and people can opt in/out of them based on your studio's workflow (and Shotgun field permissions).
When a User is locked out, an Admin can reset his/her password to help that User regain access. This will also remove the one-hour restriction on the account. To reset a User's password:
- Locate the User's record in Shotgun.
- Display the Password field if it isn't already.
- Click Reset Password.
- Click Save.
This will send an email to the User with a link that guides him/her through the process of creating a new password. Note that in order to unlock a User once he/she is locked out, the password must be reset.
The Locked Until Field
When a User is locked out, Shotgun stores this information in the "Locked Until" field on the HumanUser entity. Admins can also unlock a User by editing this field, which is a date/time field.
If the date/time is in the future...
- The User will not be able to log into Shotgun until after this date/time.
- Clear out the value in this field to restore access without requiring a password reset.
If the date/time is in the past or blank...
- The User will be able to log into Shotgun normally.
Shotgun's login screen does have a "Forgot login or password?" link so in an ideal world, a User who might have forgotten his/her password will see this link and request a password reset before getting locked out (i.e. before the tenth failed attempt!). Admins, be sure to let your Users know that this is an option as it will hopefully help everyone maintain access to Shotgun!