Use this guide to configure SecureAuth IdP to prevent a user from attempting to log in to a realm with invalid credentials too often over a specified period of time.
Multi-Factor Throttling provides protection against two common forms of attack:
"Brute force" - an attempt to log in using trial-and-error with a large number of OTPs
"Denial of service" - an attempt to disrupt service by quickly generating a large number of OTPs to overwhelm the system
This feature uses a dynamic, rolling time period to keep count of Multi-Factor Authentication attempts. When the end-user opens the realm login page, an attempt count value increments by 1. That attempt lives for the duration of the configured time period; once the time period for that attempt has elapsed, the attempt count decrements by 1.
The configured throttling action will occur whenever the attempt count exceeds the number of attempts allowed
The attempt count is reset to 0 upon a successful authentication
Using default settings (5 attempts in 30 minutes, block further attempts until time is expired):
a. A user unsuccessfully attempts to authenticate with a multi-factor method at 1:00pm. The attempt count value increments to 1.
b. Twenty minutes later the user unsuccessfully authenticates 4 more times.
c. The attempt count value is now 5, causing the user to be throttled. No further attempts can be made until the attempt count value drops below 5.
d. At 1:30pm (thirty minutes after the first unsuccessful attempt), the first unsuccessful Multi-Factor attempt drops off. The attempt count value decrements to 4. The user can now attempt to log in one more time.
e. This time the user successfully authenticates using a Multi-Factor method. The user now moves on to the next step in the authentication process (or is redirected to the target resource, depending on the workflow) and the attempt count value resets to 0.
Multi-Factor Throttling is enabled on a per realm basis, but all realms share the same attempt count value
Password entry is not considered in the attempt count for purposes of Multi-Factor Throttling (i.e. if the user successfully enters multi-factor but then unsuccessfully enters the password, there is no penalty in terms of throttling)
Logs– the logs that will be enabled or disabled for this realm must be defined
SecureAuth IdP Web Admin Configuration Steps
1. If the number of Multi-Factor Throttling attempts will be stored in a directory attribute, then in the Profile Fields section, map the designated Field to the Property to store the date and time of each invalid password login attempt, and make this property Writable – e.g. map homePostalAddress to Aux ID 8
NOTE: Skip step 1 if the user's Multi-Factor Throttling attempt count will only be stored as a cookie for length of the user's browser session
Upper range of 4096
NOTE: The directory attribute must be in the Plain Text data format
Aux ID 1
Aux ID 2
Aux ID 3
Aux ID 4
Aux ID 5
Aux ID 6
Aux ID 7
Aux ID 8
Aux ID 9
Aux ID 10
Click Save once the configuration is complete and before leaving the Data tab to avoid losing changes
2. In the Multi-Factor Configuration section, check Enable multi-factor throttling in the Multi-Factor Throttling frame under Multi-Factor Settings
3. In the Only allow __ failed attempts in __ (Minutes/Hours/Days) for each userfields, set the number of authentication attempts that will be allowed within a rolling time period before throttling takes effect
4. Select one of the radio buttons to specify the action that will occur when the end-user exceeds the allowed number of authentication attempts:
Block use of multi-factor until time limit has expired: do not allow the end-user to perform another authentication attempt until the attempt count has decremented by at least 1
Lock user account after exceeding attempts: upon exceeding the max number of attempts configured above, the user account is locked; refer to Unlock Account Configuration Guide for further information on locked accounts
5. From the Store attempt count in dropdown, select the directory attribute configured in step 1, or choose Browser Session if the user's attempt count will only be stored as a cookie for the length of the browser session