Skip to content

Configuring Login Attempts-Based Adaptive Authentication

This tutorial demonstrates how you can set up login attempts-based adaptive authentication with WSO2 Identity Server (WSO2 IS). This is useful when you want to add security for users who successfully log in after a specific number of failed login attempts.

To understand how to set up login-attempts-based adaptive authentication with WSO2 IS, let's consider a scenario where you want a user who successfully logs in after 3 failed login attempts to perform an additional level of authentication to access a resource.

Before you begin

Configuring the sample scenario

  1. Log in to the management console and create a new user named 'Alex'.
  2. Navigate to Resident > Identity Providers and expand the Login Policies > Account Locking section.
  3. Enable Account Lock Enabled.
  4. Enter a value for Maximum Failed Login Attempts


Maximum Failed Login Attempts should be greater than the number of failed login attempts you are going to consider for prompting two factor authentication. (In this example, since we are going to prompt two factor authentication after 3 failed login attempts, Maximum Failed Login Attempts should be greater than 3).

enable account locking

  1. Navigate to Service Providers > List.

  2. Click Edit on the service provider.

  3. Expand the Local and Outbound Configuration section and click Advanced Authentication.
  4. Expand Script Based Conditional Authentication.
  5. Click Templates on the right side of the Script Based Conditional Authentication field and then click Login-Attempts-Based. login attempts based authentication template
  6. Click Ok. The authentication script and authentication steps are configured. The authentication script defines a conditional step that executes the second authentication step (i.e., hardware key authenticator) only if the user logs in after a specific number of invalid login attempts defined by invalidAttemptsToStepup parameter.

  7. The authentication steps added are totp and fido . However, these are authentication steps that you would normally use in production. To try out sample authenticators with the sample application, delete the two authenticators and add the following sample authenticators instead.

    1. Click Delete to remove the totp and fido authenticators from Step 2 (the second authentication step).

      delete authenticators

    2. Select Demo Hardware Key Authenticator and click Add.

      add new authenticator

  8. Click Update.

Testing the sample scenario

  1. Access the following sample PickUp application URL:

  2. Click Login and try to login using an invalid password, causing a failed login attempt.

  3. Then try to log in using the correct username and password. The user is not prompted with the second factor authentication since the number of failed attempts has not exceeded the value specified in Maximum Failed Login Attempts.
  4. Make invalid failed attempts until you exceed the allowed failed attempts and try to login with the correct credentials.
  5. Now you are prompted to use the hardware key after basic authentication according to the authentication step defined in the JavaScript above.

    pickup sign in

  6. Enter the 4-digit key given on the screen and click Sign In. hardware key authenticator


The failed login attempts need not be made during a given time period. Login attempts-based adaptive authentication is valid even if the user makes two login attempts now and the other in a few days' time, before trying to log in with the correct credentials.