Multi-factor throttling configuration

Use this guide to set up SecureAuth® Identity Platform and stop a user from trying to log in too many times with wrong information in a given time.

Multi-factor authentication (MFA) throttling provides protection against two common forms of attack:

Brute force. An attempt to log in using trial-and-error with a large number of one-time passcodes (OTPs).
Denial of service. An attempt to disrupt service by quickly generating a large number of one-time passcodes (OTPs) to overwhelm the system.

This feature uses a dynamic, rolling time period to keep count of MFA attempts. When an end user opens the application login page, an attempt count value increments by 1. That attempt lives for the duration of the configured time period; once the time period for that attempt has elapsed, the attempt count decrements by 1.

The configured throttling action occurs when the attempt count exceeds the number of allowed attempts
The attempt count is reset to 0 upon a successful authentication

Using default settings — which is 5 attempts in 30 minutes, block further attempts until time is expired:

A user unsuccessfully attempts to authenticate with a multi-factor method at 1:00 p.m. The attempt count value increments to one (1).
Twenty minutes later, the user unsuccessfully authenticates four (4) more times.
The attempt count value is now five (5) and the system throttles the user. The user cannot make any attempts until the count value drops below five (5).
At 1:30 p.m. (30 minutes after the first unsuccessful attempt), the first unsuccessful MFA drops off. The attempt count value decrements to four (4). The user can now attempt to log in one more time.
This time, the user successfully authenticates using an MFA method. The user moves on to the next step in the login workflow and the attempt count value resets to zero (0).

Note

Throttling in multi-factor authentication is enabled on a per application realm basis, but all realms share the same attempt count value.
Password entry is not considered in the attempt count for throttling in multi-factor authentication. For example, if the user successfully enters a multi-factor method, but enters the wrong password, then there is no throttling penalty.
APIs. The configuration settings for multi-factor throttling are in the Advanced Settings (formerly Classic Experience). There are APIs available for retrieving and resetting the attempt count value. For more information, see Multi-factor throttling authentication API guide.

Prerequisites

Identity Platform 23.07 or later, cloud or hybrid deployment
Data store added to the Identity Platform
Configured user authentication policy
Configured application integration

Data store mapping

To store the number of MFA attempts in a dedicated mapping specific to MFA throttling, follow these steps.

Note

This section applies only to data stores in hybrid deployments of the Identity Platform. You do not need to set up a data store mapping in cloud deployments.

In the Identity Platform, go to the data store settings.
Depending on where you initially added the data store, it might be in the New Experience or Advanced Settings.
In the profile properties, map the data store Field attribute to the Multi Factor Throttle profile property and select the Writable check box.
For example, map the homePostalAddress field attribute to Multi Factor Throttle profile property. T
Note
Directory attribute must be in Plain Text data format.
Data store in the New Experience
Data store in Advanced Settings (Data tab)
Save your changes.

Configure Multi-Factor Methods tab

This configuration applies to your cloud or hybrid deployment of the Identity Platform.

For an application in the Identity Platform, go to the Advanced Settings and select the Multi-Factor Methods tab.
Scroll down to the bottom of the Multi-Factor Configuration section to Multi-Factor Throttling.

Set the following configurations:

Enable multi-factor throttling	Select this check box.
Only allow #number failed attempts in #time	Set the number of allowed authentication attempts within a moving timeframe before throttling takes effect for each user.
Action	Select what action to take when the user exceeds the allowed number of authentication attempts: Block use of multi-factor until time limit has expired. End user cannot do another authentication attempt until the attempt count has decremented by at least one (1). Lock user account after exceeding attempts. Lock the user account when they exceed the configured number of authentication attempts. For more information about locked accounts, see Unlock Account page configuration - Help desk and Unlock Account page configuration - End users.

Save your changes.

Throttling in the end user experience

When throttling in multi-factor authentication occurs, a message displays to the end user like the following examples.

You can customize the message by going to the Overview tab > Content and Localization and edit the registrationmethod_throttlelimit field.

Block use of multi-factor until time limit has expired

By default, this message displays: "You have exceeded the maximum number of attempts. Multi-Factor authentication is temporarily disabled for your account."

Lock user account after exceeding attempts

By default, this message displays: "Exceeded maximum attempts. Your account has been locked."

In this section:

Multi-factor throttling configuration

Note

Prerequisites

Data store mapping

Note

Note

Configure Multi-Factor Methods tab

Throttling in the end user experience

Block use of multi-factor until time limit has expired

Lock user account after exceeding attempts

Search results