Skip to main content

Multi-factor throttling configuration

Use this guide to set up SecureAuth® Identity Platform and stop a user from trying to log in too many times with wrong information in a given time.

Multi-factor authentication (MFA) throttling provides protection against two common forms of attack:

  • Brute force. An attempt to log in using trial-and-error with a large number of one-time passcodes (OTPs).

  • Denial of service. An attempt to disrupt service by quickly generating a large number of one-time passcodes (OTPs) to overwhelm the system.

This feature uses a dynamic, rolling time period to keep count of MFA attempts. When an end user opens the application login page, an attempt count value increments by 1. That attempt lives for the duration of the configured time period; once the time period for that attempt has elapsed, the attempt count decrements by 1.

  • The configured throttling action occurs when the attempt count exceeds the number of allowed attempts

  • The attempt count is reset to 0 upon a successful authentication

Note

  • Throttling in multi-factor authentication is enabled on a per application realm basis, but all realms share the same attempt count value.

  • Password entry is not considered in the attempt count for throttling in multi-factor authentication. For example, if the user successfully enters a multi-factor method, but enters the wrong password, then there is no throttling penalty.

  • APIs. The configuration settings for multi-factor throttling are in the Advanced Settings (formerly Classic Experience). There are APIs available for retrieving and resetting the attempt count value. For more information, see Multi-factor throttling authentication API guide.

Prerequisites

  • Identity Platform 23.07 or later, cloud or hybrid deployment

  • Data store added to the Identity Platform

  • Configured user authentication policy

  • Configured application integration

Data store mapping

To store the number of MFA attempts in a dedicated mapping specific to MFA throttling, follow these steps.

Note

This section applies only to data stores in hybrid deployments of the Identity Platform. You do not need to set up a data store mapping in cloud deployments.

  1. In the Identity Platform, go to the data store settings.

    Depending on where you initially added the data store, it might be in the New Experience or Advanced Settings.

  2. In the profile properties, map the data store Field attribute to the Multi Factor Throttle profile property and select the Writable check box.

    For example, map the homePostalAddress field attribute to Multi Factor Throttle profile property. T

    Note

    Directory attribute must be in Plain Text data format.

    mfa_throttle_001.png

    Data store in the New Experience

    mfa_throttle_002.png

    Data store in Advanced Settings (Data tab)

  3. Save your changes.

Configure Multi-Factor Methods tab

This configuration applies to your cloud or hybrid deployment of the Identity Platform.

  1. For an application in the Identity Platform, go to the Advanced Settings and select the Multi-Factor Methods tab.

  2. Scroll down to the bottom of the Multi-Factor Configuration section to Multi-Factor Throttling.

    mfa_throttle_003.png
  3. Set the following configurations:

    Enable multi-factor throttling

    Select this check box.

    Only allow #number failed attempts in #time

    Set the number of allowed authentication attempts within a moving timeframe before throttling takes effect for each user.

    Action

    Select what action to take when the user exceeds the allowed number of authentication attempts:

    • Block use of multi-factor until time limit has expired. End user cannot do another authentication attempt until the attempt count has decremented by at least one (1).

    • Lock user account after exceeding attempts. Lock the user account when they exceed the configured number of authentication attempts.

      For more information about locked accounts, see Unlock Account page configuration - Help desk and Unlock Account page configuration - End users.Unlock Account page configuration - Help deskUnlock Account page configuration - End users

  4. Save your changes.

Throttling in the end user experience

When throttling in multi-factor authentication occurs, a message displays to the end user like the following examples.

You can customize the message by going to the Overview tab > Content and Localization and edit the registrationmethod_throttlelimit field.

Block use of multi-factor until time limit has expired

By default, this message displays: "You have exceeded the maximum number of attempts. Multi-Factor authentication is temporarily disabled for your account."

mfa_throttle_004.png

Lock user account after exceeding attempts

By default, this message displays: "Exceeded maximum attempts. Your account has been locked."

mfa_throttle_005.png