Skip to content

Configure login-attempts security

You can protect user accounts in Asgardeo from brute-force attacks by locking the account after consecutive failed login attempts.

You can configure the number of consecutive failed login attempts that should be allowed for users in an organization. When a user exceeds this number of attempts, the account is automatically locked and the user is informed via email. The account will be activated automatically after the specified lock duration.

Enable login attempts security

This setting is disabled by default. To enable login attempts security,

  1. On the Asgardeo Console, go to Login Registration.

  2. Click on Login Attempts under Login Security section.

  3. Switch to Enabled to enable this configuration.

    Enable login attempts security

  4. Configure the settings below if you want to change how login attempts security works by default.

    View account security options

    Number of consecutive failed login attempts Specifies the number of consecutive failed login attempts allowed before the account is locked.
    If you enter 5 as the value, the user's account is locked when five login attempts fail consecutively.
    Account lock duration Specifies the duration of the initial account lock. The account is automatically unlocked after this time period.
    If you enter 5 minutes as the value, the user's account is locked for 5 minutes starting from the last login attempt. The user can log in again after 5 minutes.
    Account lock duration increment factor Specifies the factor by which the account lock duration increases after each subsequent lock following the initial one.
    Notify user when lock time is increased Send an email notification to the user when the lock time increases due to continuous failed login attempts.

  5. Click Update once you configure the required settings.

How it works

Let's look at how the login attempt configurations work with an example. Imagine a scenario where an admin has configured the settings below:

  • Number of consecutive failed login attempts: 5
  • Account lock duration: 5 min
  • Account lock duration increment factor: 2

Based on the above settings, the following happens when a user tries to log in with an incorrect password.

  1. User tries to log in with an incorrect password for 5 consecutive attempts.
  2. User account will be locked for 5 minutes.
  3. After 5 minutes, the account will be unlocked.

  4. If the user enters the correct password, the user can successfully log in.

  5. If the user tries enters an incorrect password for another 5 consecutive attempts, the account lock period will be incremented by 2 times the previous lock duration i.e. the account will be locked for 5 x (2 ^ 1)= 10 minutes.
  6. If the user attempts to enter an incorrect password for another 5 consecutive attempts, after the wait time (10min), the account will be locked again for 5 * (2 ^ 2)= 20 minutes.
Time for account to unlock = Account lock duration * (Account lock duration increment factor ^ Account lock count excluding the initial occurrence)