Multi-factor throttling authentication API guide
Use this guide to set up SecureAuth® Identity Platform Authentication API to stop a user from trying to log in too many times with wrong information in a given time.
Multi-factor authentication (MFA) throttling provides protection against two common forms of attack:
Brute force. An attempt to log in using trial-and-error with a large number of one-time passcodes (OTPs).
Denial of service. An attempt to disrupt service by quickly generating a large number of one-time passcodes (OTPs) to overwhelm the system.
This feature uses a dynamic, rolling time period to keep count of MFA attempts. When an end user opens the application login page, an attempt count value increments by 1. That attempt lives for the duration of the configured time period; once the time period for that attempt has elapsed, the attempt count decrements by 1.
The configured throttling action occurs when the attempt count exceeds the number of allowed attempts
The attempt count is reset to 0 upon a successful authentication
Note
Throttling in multi-factor authentication is enabled on a per application realm basis, but all realms share the same attempt count value.
Password entry is not considered in the attempt count for throttling in multi-factor authentication. For example, if the user successfully enters a multi-factor method, but enters the wrong password, then there is no throttling penalty.
Prerequisites
SecureAuth IdP 9.2 or later
Complete the steps in the Authentication API guide
Set up multi-factor throttling in the SecureAuth IdP. See the Multi-factor throttling configuration document.
Endpoints
Multi-Factor Throttling uses two endpoints: one for multi-factor authentication throttling and another for one-time passcode (OTP) validation throttling.
For multi-factor authentication throttling, use the /users/{username}/throttle
endpoint to:
GET the current count of MFA method attempts by the user
PUT (reset) the count of MFA method attempts to zero (0) upon successful authentication by the user. It stores the attempt count in a data store profile mapping for Multi-Factor Throttle in the Advanced Settings.
For one-time passcode (OTP) validation throttling use the /users/{username}/otpvalidatethrottle
endpoint to:
GET the current count of OTP usage attempts by the user
PUT (reset) the count of OTP usage attempts to zero (0) upon successful authentication by the user. It stores the attempt count in a data store profile mapping for Multi-Factor Throttle in the Advanced Settings.
The configuration thresholds for throttling in MFA attempts for this API is in the Advanced Settings on the Multi-Factor Methods tab. When authentication attempts exceeds the threshold, it disregards the authentication attempt and displays an error message to the end user.
GET /throttle
HTTP method | URI | Example |
---|---|---|
GET |
| https://secureauth.company.com/secureauth2/api/v1/users/jsmith/throttle |
GET /otpvalidatethrottle
HTTP method | URI | Example |
---|---|---|
GET |
| https://secureauth.company.com/secureauth2/api/v1/users/jsmith/otpvalidatethrottle |
PUT /throttle
HTTP method | URI | Example |
---|---|---|
PUT |
| https://secureauth.company.com/secureauth2/api/v1/users/jsmith/throttle |
PUT /otpvalidatethrottle
HTTP method | URI | Example |
---|---|---|
PUT |
| https://secureauth.company.com/secureauth2/api/v1/users/jsmith/otpvalidatethrottle |