Skip to main content

Password Throttling configuration guide

Use this guide to configure Password Throttling on SecureAuth® Identity Platform to prevent bad actors from accessing a realm via repeated attempts to guess an end user's password.

The Password Throttling feature can be configured to either block the end user from making further password login attempts, or lock the targeted account once reaching the maximum number of invalid attempts within the set timespan.

This feature uses a dynamic, rolling time period for managing the count of password login attempts. Each time the end user starts the realm login page, the attempt count value increases by 1. The attempt is active for the duration of the set time period:

  • The configured throttling action occurs if the attempt count exceeds the number of incorrect password attempts allowed for the allotted time period.

  • Once the time period for that attempt has elapsed, the attempt count decreases by 1.

  • Upon a successful authentication, the attempt count is reset to 0.

Note

Password Throttling is enabled on a per realm basis. However, all realms share the same attempt count value.

Prerequisites

  • Identity Platform release 19.07 or later

  • Have a configured application in the Identity Platform

  • Have a defined user login authentication policy in the Identity Platform

  • Have an integrated data store in the Identity Platform

Identity Platform configuration

  1. In the Identity Platform, go to the Data Store Summary of the data store connected to the application where you will enable password throttling.

  2. In Advanced Settings, select Bind for Validate User Type.

    pw_throttling_bind.png
  3. Click Save.

  4. Go to the Data Store Properties for the data store.

  5. Map the designated Field Attribute to an available Property that matches the attribute's requirement to store the date and time of each invalid password login attempt.

    The Field Attribute must meet the following requirements:

    • Directory String

    • Single Value

    • Upper range of 4096

    Properties that match the field attribute requirements are:

    • Aux ID 1 - Aux ID 10

    • Email 1 - Email 4

    • Phone 1 - Phone 4

    For example, map homePostalAddress to Aux ID 2.

    pw_throttling_attribute.png

    Note

    The Field Attribute and Property selected will be tied to the Unlock button which can be used on any realm to unlock accounts.

    To avoid losing valuable user data, select a Property that is not being used by any other realm, and will only be used for the password unlock function.

  6. Select the Writable checkbox.

  7. Click the blue check mark to save.

  8. Navigate to Advanced Settings (formerly Classic Experience) and set the Workflow Tab for the realm where you will enable password throttling.

  9. In the Workflow section, set the following for Password Throttling:

    Enable password throttling

    Select the checkbox to enable password throttling.

    Only allow [X] failed attempts

    Set to the maximum number of failed login attempts a user can have in the allotted timeframe before throttling takes effect.

    in [X timeframe] for each use

    Set the timeframe for counting failed attempts and select minutes, hours, or days.

    This configuration specifies the rolling time period before throttling takes effect.

    Notice

    To prevent an Active Directory lockout during a password throttling session, SecureAuth recommends:

    • The failed attempts value should be less than the Account lockout threshold setting configured for the AD Default Domain Policy

    • The time value should be greater than the Reset account lockout counter after setting configured for the AD Default Domain Policy

    For example:

    Default Domain Policy

    Password Throttling

    Account lockout threshold is set to 10 invalid logon attempts

    Only allow 'X' failed attempts should be set to 9

    Reset account lockout counter after is set to 20 minutes

    in 'X' [timeframe] for each user should be set to 21 Minutes

    Block password attempts until time limit has expired

    or

    Lock user account after exceeding attempts

    Select one of the following options to run when the end user exceeds the maximum number of failed login attempts:

    • Block password attempts until time limit has expired – the end user is prevented from making another login attempt until the attempt count has decreased by at least 1.

    • Lock user account after exceeding attempts – the end user's account is locked until an administrator unlocks it.

    Store attempt count in

    Select the Property designated in Step 5 to store the attempt count in.

    password_throttling.png
  10. Click Save.

    Warning

    Click Save once the configuration is complete and before leaving the Workflow tab to avoid losing changes.

End user experience

  1. When entering an invalid password, the Password does not match message appears.

    44830483.png
  2. After entering an invalid password for the configured maximum number of failed attempts within a given timeframe, the Exceeded maximum attempts entering password message appears.

    If the Block password attempts until time limit has expired feature is enabled, the end user can enter a password again when the time limit has expired.

    44830444.png
  3. If the Lock user account after exceeding attempts feature is enabled, when the maximum number of failed attempts within the time limit is reached and a new session is started, the end user is presented with the Account is Locked screen. Only an administrator can unlock the user's account.

    44830485.png

Unlock an end user account

  1. Log into the designated realm and retrieve the end user's locked account.

  2. Confirm the account status shows Status: Account Locked (Image Item A).

  3. Review the history of invalid password entries in the Aux1 field (Image Item B).

    This information includes the date and time of each failed attempt (using the MM/DD/YYYY HH:MM:SS AM/PM format), separated by a comma.

  4. Click Unlock (Image Item C). This action clears the history of invalid password entries on the Aux1 field and unlocks the account on the directory.

    Warning

    If any other realm is used to unlock user accounts – for example, an unlock account realm – when the administrator clicks Unlock for a specified user on that realm, content in the Aux1 field on this screen will be cleared, regardless of the field to which this property is mapped, and the user account will also be unlocked on all other realms.

  5. Click Update (Image Item D).

    44830486.png