Brute-force protections
Brute-force protection can guard against any attack that tries to crack secrets, such as passwords or passcodes by trial and error. It halts malicious actors once they reach the limit for unsuccessful attempts. Limiting the number of password or temporary passcode attempts should be one of your top priorities when it comes to account security.
While the resulting account lockout can mitigate brute force attacks, dictionary attacks, and credential stuffing, it can also lead to an unpleasant user experience. It's worth factoring in the honest mistakes legitimate users make when trying to log in when you set up restrictions. Strivacity's brute-force protection controls help you strike the right balance between ease of use and the risk levels specific to your organization.
Settings
Brute-force protection rules allow you to set how accounts can be disabled based on failed passwords and/or one-time passcode attempts.
| Password failed attempts restriction | Description | Status |
|---|---|---|
| Terminate user session after ... attempts | Defines the number of unsuccessful tries a user can have when entering their password before they get locked out of the account. | 3 tries are allowed by default. |
| Account lockout | You can permanently lock accounts if the number of unsuccessful attempts reaches the limit. | Disabled by default. When enabled, 10 attempts are allowed by default. |
| Lockout duration | Defines the number of minutes a locked account can't be used. Users can try to log in again once the account lockout period expires. | Disabled by default. When enabled, the duration is set to 15 minutes by default. |
| OTP/TOTP failed attempts restriction | Description | Status |
|---|---|---|
| Terminate user session after ... attempts | Defines the number of unsuccessful tries a user can have when entering a passcode before they get locked out of the account. | 3 tries are allowed by default. |
| Account lockout duration | Defines the number of minutes a locked account can't be used. Users can try to log in again once the account lockout period expires. | Disabled by default. When enabled, the duration is set to 15 minutes by default. |
| Permanent account lockout | You can permanently lock accounts if the number of unsuccessful tries reaches the limit. | Disabled by default. |
Permanent lockout
Users can turn to your customer support if they permanently get locked out of their accounts. Customer service can assist them with account recovery tools from the Admin Console.
For examples of how Adaptive Access policy settings interact with custom journeys and self-service unlock, see Account lockout scenarios.
| Identifier failed attempts restriction | Description | Status |
|---|---|---|
| Terminate user session after ... attempts | Defines the number of unsuccessful tries a user can have when entering an identifier before they get locked out of the account. | 3 tries are allowed by default. |
| Additional settings | Description | Status |
|---|---|---|
| Expose attempt limits to the login flows | Allows the number of failed password, passcode, and identifier attempts to be shared with the login and My Account experiences. This helps you inform customers how close they are to a lockout or session termination. | Disabled by default. |
When Expose attempt limits to the login flows is enabled, the attempt counts are returned in API responses during login journeys and can be used in your front end to display dynamic warnings or messages. Leave disabled if you don’t want this information exposed.
Updated 2 days ago