Brute-force protections
Brute-force protection can guard against any attack that tries to crack secrets, such as passwords or passcodes by trial and error. It halts malicious actors once they reach the limit for unsuccessful attempts. Limiting the number of password or temporary passcode attempts should be one of your top priorities when it comes to account security.
While the resulting account lockout can mitigate brute force attacks, dictionary attacks, and credential stuffing, it can also lead to an unpleasant user experience. It's worth factoring in the honest mistakes legitimate users make when trying to log in when you set up restrictions. Strivacity's brute-force protection controls help you strike the right balance between ease of use and the risk levels specific to your organization.
Settings
Brute-force protection rules allow you to set how accounts can be disabled based on failed passwords and/or one-time passcode attempts.
| Password failed attempts restriction | Description | Status |
|---|---|---|
| Terminate user session after ... attempts | Defines the number of unsuccessful tries a user can have when entering their password before they get locked out of the account. | 3 tries are allowed by default. |
| Account lockout | You can permanently lock accounts if the number of unsuccessful attempts reaches the limit. | Disabled by default. When enabled, 10 attempts are allowed by default. |
| Lockout duration | Defines the number of minutes a locked account can't be used. Users can try to log in again once the account lockout period expires. | Disabled by default. When enabled, the duration is set to 15 minutes by default. |
| Failed OTP/TOTP restriction | Description | Status |
|---|---|---|
| Terminate user session after ... attempts | Defines the number of unsuccessful tries a user can have when entering a passcode before they get locked out of the account. | 3 tries are allowed by default. |
| Account lockout duration | Defines the number of minutes a locked account can't be used. Users can try to log in again once the account lockout period expires. | Disabled by default. When enabled, the duration is set to 15 minutes by default. |
| Permanent account lockout | You can permanently lock accounts if the number of unsuccessful tries reaches the limit. | Disabled by default. |
Permanent lockout
Users can turn to your customer support if they permanently get locked out of their accounts. Customer service can assist them with account recovery tools from the Admin Console.
| Identifier failed attempts restriction | Description | Status |
|---|---|---|
| Terminate user session after ... attempts | Defines the number of unsuccessful tries a user can have when entering an identifier before they get locked out of the account. | 3 tries are allowed by default. |
Updated 3 months ago