Skip to content

Configuring Account Locking due to Failed Login Attempts

WSO2 Identity Server enables privileged users to define the maximum number of failed login attempts the system accepts. When a user exceeds the maximum number of failed login attempts defined in the system, the user account will be automatically locked. The privileged users can also define for how long the account should be locked.

Account Locking

Scenario

Pickup is a cab company that has many employees who use different credentials to sign in to different internal enterprise applications. While Sam is an administrator at Pickup, Alex is a new recruit. To prevent unauthorized access, Sam wants to temporarily lock accounts to which more than 3 failed login attempts were made.

Let's learn how Sam implements this!

Set up

Follow the steps below to configure account locking due to failed login attempts.

  1. Open the deployment.toml file in the <IS_HOME>/repository/conf directory.

    1. To request password entry from the users who are registered via Management Console, add the following configurations:

      [event.default_listener.identity_mgt]
      priority= "50"
      enable = false
      [event.default_listener.governance_identity_mgt]
      priority= "95"
      enable = true
    2. To configure the email server to send emails requesting password entry, add the following configurations:

      • from_address: This is the email address from which the confirmation email will be sent.
      • username: This is the user name of the given email address.
      • password: This is the password of the given email address.
      [output_adapter.email]
      from_address= ""
      username= ""
      password= ""
      hostname= "smtp.gmail.com"
      port= 587
      enable_start_tls= true
      enable_authentication= true
      [output_adapter.email]
      from_address= "[email protected]"
      username= "wso2iamtest"
      password= "Wso2@iam70"
      hostname= "smtp.gmail.com"
      port= 587
      enable_start_tls= true
      enable_authentication= true

      If you are using a Google email account

      Google has restricted third-party applications and less secure applications from sending emails by default. As WSO2 Identity Server acts as a third-party application when sending emails for password entry, follow the steps below to enable your Google email account to provide access to third-party applications.

      1. Access https://myaccount.google.com/security.

      2. Under Signing in to Google section, turn off the 2-step Verification option.

      3. Enable Less secure app access in the Google Account security section.

  2. Restart WSO2 Identity Server.

  3. To configure the account locking requirements:

    1. On the Main menu of the Management Console, click Identity > Identity Providers > Resident.

      Resident menu-item

    2. Under the Login Policies section, click Account Locking.

      Account Locking Option

    3. Enter the required information as given below:

      • Maximum Failed Login Attempts: 3
      • Account Unlock Time: 15

      Account Locking form

    4. Click Update.

Try out

  1. To create the user account for Alex:

    1. On the Main menu of the Management Console, click Identity > Users and Roles > Add.

      Add Users and Roles menu-item

    2. Click Add New User.

      Add New User option

    3. Enter the required data as follows.

      Add New User screen

      • Domain: Primary
      • Username: Alex
    4. Click Finish.

  2. To assign login permissions to the user:

    1. Click the View Roles option of Alex.

      View Roles option

    2. Click Permissions.

      Role Permissions option

    3. Select Login and click Update.

      Login permission

  3. To configure Alex's email account:

    1. Click User Profile option of Alex.

      User Profile option

    2. Enter an email address to which Alex's account locking emails should be sent.

      User Email option

    3. Click Update.

  4. To mimic account locking:

    1. Access the WSO2 Identity Server My Account at https://localhost:9443/myaccount/.

      Sign In form

    2. To mimic three consecutive erroneous login attempts, log in with Alex's user name and the following as passwords sequentially:

      • test123
      • test234
      • test345
    3. An email that informs about the account locking is sent to the given email address.

      Account Locked email

    4. Wait for 15 minutes and try to log in again with the correct credentials. The WSO2 Identity Server User Portal home screen appears.

Top