Configure reCAPTCHA On Invalid Challenge Question Attempts¶
This topic guides you through configuring reCAPTCHA for secret questions in the password recovery flow. By configuring reCAPTCHA, you can mitigate or block brute force attacks.
For more information on setting up password recovery with secret questions, see Enable password reset via Challenge Questions.
For more information on brute force attacks, see Mitigating Brute Force Attacks.
Setting Up reCAPTCHA with WSO2 Identity Server.
Configure reCAPTCHA on invalid challenge question attempts for a specific tenant¶
Start WSO2 Identity Server and log in to the management console as tenant admin.
On the Main tab, click Identity > Identity Provider > Resident Identity Provider.
Expand the Account Management tab and then expand the Account Recovery tab.
Select Enable reCaptcha for security questions based password recovery and configure the Max failed attempts for reCaptcha.
This Max failed attempts for reCaptcha value should be less than the number of failed attempts configured in the account locking connector.
To view the number of failed attempts configured for the account lock feature, expand the Login Attempts Security tab and then expand the Account Lock tab.
Expand the Login Attempts Security tab and then expand the Account Lock tab.
Select Lock user accounts.
You have now successfully configured reCAPTCHA for the password recovery with secret questions flow. The reCAPTCHA will be prompted if the user reaches the limit of max failed attempts when providing an answer to a secret question. For instance, since the Max failed attempts for reCaptcha was configured as 2 above, if the user answers a question incorrectly twice, the reCAPTCHA will be prompted as seen in the window below.