Documentation

Introduction

Use this guide to configure SecureAuth IdP to prevent a user from attempting to log in to a realm with invalid credentials too often over a specified period of time.

Multi-Factor Throttling provides protection against two common forms of attack:

  1. "Brute force" - an attempt to log in using trial-and-error with a large number of OTPs
  2. "Denial of service" - an attempt to disrupt service by quickly generating a large number of OTPs to overwhelm the system

This feature uses a dynamic, rolling time period to keep count of Multi-Factor Authentication attempts. When the end-user opens the realm login page, an attempt count value increments by 1. That attempt lives for the duration of the configured time period; once the time period for that attempt has elapsed, the attempt count decrements by 1.

  • The configured throttling action will occur whenever the attempt count exceeds the number of attempts allowed
  • The attempt count is reset to 0 upon a successful authentication
Multi-Factor Throttling User Workflow Example
Using default settings (5 attempts in 30 minutes, block further attempts until time is expired):

a. A user unsuccessfully attempts to authenticate with a multi-factor method at 1:00pm. The attempt count value increments to 1.

b. Twenty minutes later the user unsuccessfully authenticates 4 more times.

c. The attempt count value is now 5, causing the user to be throttled. No further attempts can be made until the attempt count value drops below 5.

d. At 1:30pm (thirty minutes after the first unsuccessful attempt), the first unsuccessful Multi-Factor attempt drops off. The attempt count value decrements to 4. The user can now attempt to log in one more time.

e. This time the user successfully authenticates using a Multi-Factor method. The user now moves on to the next step in the authentication process (or is redirected to the target resource, depending on the workflow) and the attempt count value resets to 0.

Notes
  • Multi-Factor Throttling is enabled on a per realm basis, but all realms share the same attempt count value
  • Password entry is not considered in the attempt count for purposes of Multi-Factor Throttling (i.e. if the user successfully enters multi-factor but then unsuccessfully enters the password, there is no penalty in terms of throttling)
APIs

All configuration settings are performed in the Web Admin, although APIs are available for retrieving and resetting the attempt count value. See Authentication API Guide and Multi-Factor Throttling Authentication API Guide for more information.

Prerequisites

1. Ensure SecureAuth IdP v9.1 or later is running

2. Create a New Realm or access an existing realm on which at least one method of Multi-Factor Authentication is required

3. Configure the following tabs in the Web Admin in addition to configuring Multi-Factor Throttling

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access the target must be defined
  • Post Authentication – the target resource or post authentication action must be defined
  • Logs – the logs that will be enabled or disabled for this realm must be defined
SecureAuth IdP Web Admin Configuration Steps
Data

 

1. If the number of Multi-Factor Throttling attempts will be stored in a directory attribute, then in the Profile Fields section, map the designated Field to the Property to store the date and time of each invalid password login attempt, and make this property Writable – e.g. map homePostalAddress to Aux ID 8

NOTE: Skip step 1 if the user's Multi-Factor Throttling attempt count will only be stored as a cookie for length of the user's browser session

Field requirements:
  • Directory String
  • Single Value
  • Upper range of 4096

NOTE: The directory attribute must be in the Plain Text data format

Property selections:
  • Aux ID 1
  • Aux ID 2
  • Aux ID 3
  • Aux ID 4
  • Aux ID 5
  • Aux ID 6
  • Aux ID 7
  • Aux ID 8
  • Aux ID 9
  • Aux ID 10
  • Email 1
  • Email 2
  • Email 3
  • Email 4
  • Phone 1
  • Phone 2
  • Phone 3
  • Phone 4

Click Save once the configuration is complete and before leaving the Data tab to avoid losing changes

Multi-Factor Methods

 

2. In the Multi-Factor Configuration section, check Enable multi-factor throttling in the Multi-Factor Throttling frame under Multi-Factor Settings

3. In the  Only allow __ failed attempts in __ (Minutes/Hours/Days) for each user fields, set the number of authentication attempts that will be allowed within a rolling time period before throttling takes effect

4. Select one of the radio buttons to specify the action that will occur when the end-user exceeds the allowed number of authentication attempts:

  • Block use of multi-factor until time limit has expired: do not allow the end-user to perform another authentication attempt until the attempt count has decremented by at least 1
  • Lock user account after exceeding attempts: upon exceeding the max number of attempts configured above, the user account is locked; refer to Unlock Account Configuration Guide for further information on locked accounts

5. From the Store attempt count in dropdown, select the directory attribute configured in step 1, or choose Browser Session if the user's attempt count will only be stored as a cookie for the length of the browser session

Click Save once the configuration is complete and before leaving the Multi-Factor Methods tab to avoid losing changes

End-user Experience

The following screenshots illustrate the default message that appears to the end-user when Multi-Factor Throttling has occurred

The admin can customise the message that appears by editing the registrationmethod_throttlelimit field in the Verbiage Editor

Block use of multi-factor until time limit has expired

 

Lock user account after exceeding attempts

  • No labels