When an end-user with multiple assigned credentials manually enters their VIP security code during a login, it is possible for one or more of their credential IDs in VIP Manager to go to a locked state, despite the VIP credential not being used for validations. 

VIP Manager screenshot:

During a VIP Validation when an end-user manually enters a VIP security code from their VIP credential, the encrypted VIP username+VIP security code is sent to the VIP Cloud.

When an end-user is assigned one VIP credential ID:

• The transaction is successful if the security code matches the user's credential ID.
• The transaction fails if an invalid code is used. The credential ID is locked after 10* consecutive attempts to use an invalid security code.
• The credential invalid security code counter resets back to 0 when a valid code is used before the credential is locked.

When an end-user is assigned more than one VIP credential ID:

• The VIP Cloud attempts to match the security code to one of their assigned credentials.
• If a match is found, the transaction is successful.
• If a match is not found, the invalid security code counter for each assigned credential increments by one and the transaction fails. (A credential ID is locked when the invalid security code counter reaches 10*.)
• If a match is found during a subsequent login, the invalid security code counter for the matching credential ID is reset to 0. However, the invalid security code counter for the remaining credentials will remain unchanged until a matching security code is passed.
• In this scenario, non-matching security codes can eventually cause the invalid security code counter for unused credentials to reach 10. 

*This value can be adjusted by a VIP Administrator in the VIP Manager portal. 

Note: A locked credential affects VIP authentications only when it is used during a login attempt. 

- Users with multiple assigned credentials can periodically use a security code from another assigned credential 

- Use the VIP PUSH feature. This does not impact a credentials invalid security code counter.

- Enable the VIP Manager policy to enforce a maximum number of assigned credentials. Your organization should decide the max. number of credentials a user can be assigned, and if credentials can assigned to more than one user at a time.

- Enable the Credential expiration policy to automatically remove unused credentials from users. Expired credentials are unassigned from the user and appear as 'inactive' in VIP Manager.

If user services is used for credential validation(https://userservices.vip.symantec.com) the credential will not be locked but if credential services is used (https://services-auth.vip.symantec.com) the credential will lock after passing the Maximum Validation Failures set in Security Settings.