Introduction

If our analysts discover an account that is acting maliciously, or suspiciously, they can lock that user’s access the Field Effect MDR Portal. There are two levels of severity for account locking:

• Re-Authentication Required: if we discover a lower confidence indicator that an account has been compromised, we will force the user to re-authenticate their account.  
• Account Locked: if we discover a high-confidence indicator that an account has been compromised, we will lock the user’s account and inform organization administrators via ARO and email/SMS notification. Admins will need to reach out to our team to unlock the account.

Account Blocking Notifications

The following images show examples of the notifications you will receive for account locking.

When an account is locked, administrators will receive the following email notification:

Once the account has been unlocked, administrators will be sent the following email notification:

The User Experience for Locked Accounts

When a user needs to re-authenticate their account, they will be logged out of their current session (if applicable) and see the following message on the login screen:

When a user account has been blocked, they will be logged out of their current session (if applicable) and shown the following message on the login screen. This message will also appear for locked accounts trying to log in for a new session.

Viewing Blocked Users

Administrators can view locked users from the User Management page. All locked accounts will be shown and labelled as locked on the “All Users” filter, and you can also use the “Locked” filter to see only locked accounts.