- Cloud Access Service (CAS)
- Authentication Manager (AM)
- Unified OTP Authentication
- REST API–based authentication flow
In Unified OTP authentication flows that use REST API integration, a known behavior may cause a single failed login attempt to be counted more than once. This can lead to unexpected user lockouts when low lockout thresholds are configured.
This article explains the issue and provides a recommended configuration workaround until a permanent solution is available.
When Unified OTP authentication is implemented using the REST API flow, an authentication loop may occur between system components:
CAS > AM > CAS
Due to this loop, a single failed authentication attempt can be processed multiple times, resulting in duplicate failure counts.
In TCP Agent–based integrations, existing configuration controls can be used to prevent duplicate counting.
Impact
- A single failed login attempt may be recorded twice.
- Account lockout thresholds may be reached earlier than expected.
- Users may experience unexpected or premature lockouts.
Affected Environments
- Unified OTP flows using REST API integration
- Environments that have migrated from TCP Agent to REST API–based authentication
Due to the authentication loop (CAS > AM >CAS), a single failed authentication attempt is counted twice.
To avoid unintended lockouts caused by duplicate failure counting, adjust the account lockout threshold to allow for the additional failure count.
Recommendation
If Failures Allowed Before Lockout is set to 2 or less, increase the value to more than 2.
This ensures that users are not locked out due to duplicate processing of a single failed authentication attempt.
Configuration Steps
- Sign in to the Cloud Administration Console.
- Navigate to My Account > Company Settings > Sessions & Authentication.
- Locate Failures Allowed Before Lockout.
- Set the value to more than 2 if it is currently 2 or less.
- Save the changes.
Limitations
This workaround applies only to REST API–based Unified OTP flows.
There is currently no REST API–specific configuration option to suppress duplicate failure counting.
This configuration change does not remove the duplicate counting behavior; it mitigates its impact.
Status
This is a known limitation in REST API–based Unified OTP authentication flows. A permanent fix may be introduced in a future release.
Additional Information
If users continue to experience unexpected lockouts after applying this workaround, contact Support with account logs and authentication timestamps for further analysis.
Related Articles
VMWare Unified Access Gateway (UAG) Integration Guide with the Authentication Manager using REST API Number of Views RSA MFA Agent 3.0 for Citrix StoreFront Administrator's Guide Number of Views Integration of Dell EMC Data Domain with RSA Authentication Manager REST API Number of Views How to disable a weak certificate on TCP ports 5550 and 5580 (CVE-2004-2761, CVE-2005-4900) Number of Views RSA MFA Agent 2.5 for Microsoft Windows Group Policy Object Template Guide Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide "HTTP response error! Response code=401" when starting RSA Identity Governance and Lifecycle Access Fulfillment Express (A… RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
