Lock accounts by failed OTP attempts¶

WSO2 Identity Server can be configured to lock a user account when the number of consecutive failed OTP attempts is exceeded.

If you want to configure different settings for another tenant, log out and follow the same steps to configure these properties for the other tenants.

Configure the WSO2 IS server¶

Add the following configurations into <IS_HOME>/repository/conf/deployment.toml file to enable account locking for each type of OTP attempts and restart the server.

• For Email OTP:

  [authentication.authenticator.email_otp.parameters]
  EnableAccountLockingForFailedAttempts = true

• For SMS OTP:

  [authentication.authenticator.sms_otp.parameters]
  EnableAccountLockingForFailedAttempts = true

  Note

  Since BackupCode = true in the default configuration, configure the backup code claim. Alternatively, you can disable the backup codes for SMS OTP by setting the property to false.

  [authentication.authenticator.sms_otp.parameters]
  BackupCode = false

• For TOTP:

  [authentication.authenticator.totp.parameters]
  EnableAccountLockingForFailedAttempts = true

Enable claims¶

1. Navigate to Main > Identity > Claims > Add > Add Local Claim.
2. Click http://wso2.org/claims.

3. Once the user account gets locked, the Account Locked attribute will be updated to true. To check this via the user profile:

   1. Click Edit under the Account Locked claim.
   2. Select Supported by Default and click Update.
   3. Navigate to the relevant user's user profile and you will see that the attribute has been updated.

4. Failed Email OTP Attempts, Failed SMS Attempts, and Failed TOTP Attempts attribute values will be incremented for the wrong attempt of Email OTP, SMS OTP, and TOTP attempt respectively. To check this via the user profile.

   • For Email OTP:

     1. Click Edit under the Failed Email OTP Attempts claim.
     2. Select Supported by Default and click Update.
     3. Navigate to the relevant user's user profile and you will see that the attribute has been updated.

   • For SMS OTP:

     1. Click Edit under the Failed SMS Attempts claim.
     2. Select Supported by Default and click Update.
     3. Navigate to the relevant user's user profile and you will see that the attribute has been updated.

   • For TOTP:

     1. Click Edit under the Failed TOTP Attempts claim.
     2. Select Supported by Default and click Update.
     3. Navigate to the relevant user's user profile and you will see that the attribute has been updated.

Enable account locking¶

1. Ensure that the identity listener with the priority=50 is set to false and the identity listener with the priority=95 is set to true by adding the following configuration to the <IS_HOME>/repository/conf/deployment.toml file.

   Note

   If you haven't changed these configurations previously, you can skip this step since these are the default values.

   [event.default_listener.identity_mgt]
   priority= "50"
   enable = false
   [event.default_listener.governance_identity_mgt]
   priority= "95"
   enable = true

2. Start the Identity Server and log into the management console (https://<IS_HOST>:<PORT>/carbon) using your tenant credentials.

3. Click Main > Identity > Identity Providers > Resident.

4. Expand the Login Attempts Security tab.

5. Expand the Account Lock tab and select the Lock user accounts checkbox. Click Update to save changes.

6. To enable account locking for other tenants, log out and repeat the steps given above from step 2 onwards.

The following table describes the configuration properties and descriptions you need to configure:

[identity_mgt.account_locking]
allowed_failed_attempts=5

[identity_mgt.account_locking]
auto_unlock_time_increment_ratio=2

[identity_mgt.account_locking]
auto_unlock_after=5

[identity_mgt.account_locking]
enable_account_locking=true

Configure the email sender¶

Enable the email sending configurations of the WSO2 Identity Server.