Skip to main content

Brute Force Protection

Brute force attack is a technique of gaining unauthorized access by exhausting all possible user/password combinations, typically with the use of an automated tool. In theory, this technique guarantees success if the attacker has a lot of computing power, however, the attacker must make a lot of requests provided that the password requirements are complex enough. SecureAuth protects its endpoints related to Multi-Factor Authentication, Client Authentication, Device Authorization, and Identity Pools from such attacks by enforcing limits on subsequent unsuccessful requests to Identity endpoints. This document shows how to configure those limits.

Configure Brute Force Protection

  1. Go to Tenant Settings > Brute Force Protection. You can see a list of Identity Management-related actions.

    Tenant settings
  2. Set the limits for consecutive unsuccessful requests for particular actions under Max Attempts. After exceeding the limit, the requester is blocked for the time set in Block Duration.

    Disabling Brute Force Protection

    It is possible to disable Brute Force Protection either by toggling the option in the UI or by sending a request with max_attempts set to 0. Please do so at your own risk.