Configure login-attempts security¶
You can protect user accounts in WSO2 Identity Server from brute-force attacks by locking the account after consecutive failed login attempts.
You can configure the number of consecutive failed login attempts that should be allowed for users in an organization. When a user exceeds this number of attempts, the account is automatically locked and the user is informed via email. The account will be activated automatically after the specified lock duration.
Enable login attempts security¶
This setting is disabled by default. To enable login attempts security,
-
On the WSO2 Identity Server Console, go to Login Registration.
-
Click on Login Attempts under Login Security section.
-
Switch to Enabled to enable this configuration.
-
Configure the settings below if you want to change how login attempts security works by default.
Number of consecutive failed login attempts Specifies the number of consecutive failed login attempts allowed before the account is locked.
If you enter 5 as the value, the user's account is locked when five login attempts fail consecutively.Account lock duration Specifies the duration of the initial account lock. The account is automatically unlocked after this time period.
If you enter 5 minutes as the value, the user's account is locked for 5 minutes starting from the last login attempt. The user can log in again after 5 minutes.Account lock duration increment factor Specifies the factor by which the account lock duration increases after each subsequent lock following the initial one. Notify user when lock time is increased Send an email notification to the user when the lock time increases due to continuous failed login attempts. -
Click Update once you configure the required settings.
How it works¶
Let's look at how the login attempt configurations work with an example. Imagine a scenario where an admin has configured the settings below:
- Number of consecutive failed login attempts: 5
- Account lock duration: 5 min
- Account lock duration increment factor: 2
Based on the above settings, the following happens when a user tries to log in with an incorrect password.
- User tries to log in with an incorrect password for 5 consecutive attempts.
- User account will be locked for 5 minutes.
-
After 5 minutes, the account will be unlocked.
-
If the user enters the correct password, the user can successfully log in.
- If the user tries enters an incorrect password for another 5 consecutive attempts, the account lock period will be incremented by 2 times the previous lock duration i.e. the account will be locked for 5 x (2 ^ 1)= 10 minutes.
- If the user attempts to enter an incorrect password for another 5 consecutive attempts, after the wait time (10min), the account will be locked again for 5 * (2 ^ 2)= 20 minutes.
Time for account to unlock = Account lock duration * (Account lock duration increment factor ^ Account lock count excluding the initial occurrence)
Info
- On the WSO2 Identity Server login pages, a generic error message is displayed by default to end-users in the event of login failures. To show more specific error messages on the login page, the following properties can be configured in the
deployment.toml
file, which is located in the<IS_HOME>/repository/conf
directory.
Basic authenticator configurations:
[authentication.authenticator.basic.parameters]
showAuthFailureReason = true
showAuthFailureReasonOnLoginPage = true
Email OTP authenticator configurations:
[authentication.authenticator.email_otp.parameters]
showAuthFailureReason = true
showAuthFailureReasonOnLoginPage = true
TOTP authenticator configurations:
[authentication.authenticator.totp.parameters]
showAuthFailureReason = true
showAuthFailureReasonOnLoginPage = true