Skip to content

Configuring Account Locking due to Failed Login Attempts

WSO2 Identity Server enables privileged users to define the maximum number of failed login attempts the system accepts. When a user exceeds the maximum number of failed login attempts defined in the system, the user account will be automatically locked. The privileged users can also define for how long the account should be locked.

Account Locking


Pickup is a cab company that has many employees who use different credentials to sign in to different internal enterprise applications. While Sam is an administrator at Pickup, Alex is a new recruit. To prevent unauthorized access, Sam wants to temporarily lock accounts to which more than 3 failed login attempts were made.

Let's learn how Sam implements this!

Set up

Follow the steps below to configure account locking due to failed login attempts.

  1. Open the deployment.toml file in the <IS_HOME>/repository/conf directory and check whether the following listener configs are in place.

    priority= "50"
    enable = false
    priority= "95"
    enable = true
  2. Restart WSO2 Identity Server.

  3. To configure the account locking requirements:

    1. On the Main menu of the Management Console, click Identity > Identity Providers > Resident.

      Resident menu-item

    2. Under the Login Policies section, click Account Locking.

      Account Locking Option

    3. Enter the required information as given below:

      • Maximum Failed Login Attempts: 3
      • Account Unlock Time: 15

      Account Locking form

    4. Click Update.

Try out

  1. To create the user account for Alex:

    1. On the Main menu of the Management Console, click Identity > Users and Roles > Add.

      Add Users and Roles menu-item

    2. Click Add New User.

      Add New User option

    3. Enter the required data as follows.

      Add New User screen

      • Domain: Primary
      • Username: Alex
    4. Click Finish.

  2. To assign login permissions to the user:

    1. Click the View Roles option of Alex.

      View Roles option

    2. Click Permissions.

      Role Permissions option

    3. Select Login and click Update.

      Login permission

  3. To configure Alex's email account:

    1. Click User Profile option of Alex.

      User Profile option

    2. Enter an email address to which Alex's account locking emails should be sent.

      User Email option

    3. Click Update.

  4. To mimic account locking:

    1. Access the WSO2 Identity Server User Portal at https://localhost:9443/user-portal/.

      Sign In form

    2. To mimic three consecutive erroneous login attempts, log in with Alex's user name and the following as passwords sequentially:

      • test123
      • test234
      • test345
    3. An email that informs about the account locking is sent to the given email address.

      Account Locked email

    4. Wait for 15 minutes and try to log in again with the correct credentials. The WSO2 Identity Server User Portal home screen appears.