Configure brute force protection
Setting up brute force protection prevents automated attacks that try thousands of password combinations to break into user accounts.
💡 Why this matters
Protects against automated login attacks while allowing legitimate users normal access. Meets compliance requirements for account security.
Available protection types
| Protection type | Protects against | Common attack scenarios |
|---|---|---|
| MFA | MFA bypass attempts | Automated code guessing |
| Client authentication | API client attacks | Service credential abuse |
| Device handling | Device registration abuse | Mobile app exploitation |
| Identity code verify | Verification code attacks | SMS/email code brute force |
| Identity registration | Account creation abuse | Signup form attacks |
Configure protection settings
-
Go to Tenant Settings > Brute-force Protection
-
Select the protection type you want to configure, like MFA, or Client authentication, and so on.
-
Set the following values:
Setting Recommended Value Notes Max Attempts 3-5 attempts Industry standard for most scenarios Block Duration 5-15 minutes Balances security with user experience -
Save your changes.
Industry-standard configurations
Different environments require different protection levels based on risk tolerance and user impact:
| Environment Type | Max Attempts | Block Duration | Rationale |
|---|---|---|---|
| Internal/Development | 5 | 5 minutes | Higher tolerance for legitimate mistakes |
| Partner/B2B Access | 3-5 | 10-15 minutes | Balance security with business relationships |
| Public/Consumer | 3 | 15-30 minutes | Strong protection for exposed endpoints |
| Regulated Industries | 2-3 | 30+ minutes | Compliance requirements, zero tolerance |
Operation-specific considerations
- MFA operations: Use lower thresholds (2-3 attempts) - codes are time-sensitive
- Client authentication: Standard thresholds (5 attempts) - service accounts need reliability
- Identity operations: Lower thresholds (3 attempts) - registration/recovery are high-risk
Advanced configuration
API automation
Use the Brute Force Limits API for:
- Automated policy deployment across environments
- Integration with security monitoring systems
- Programmatic threshold adjustments
Disabling protection (controlled environments only)
Only disable brute force protection in isolated test environments with no production data
When you might need to disable:
- Load testing authentication endpoints
- Automated testing scenarios
- Development environment debugging
How to disable safely:
| Method | Configuration | Use case |
|---|---|---|
| Complete disable | Set Max Attempts = 0 | Full testing scenarios |
| Effective disable | Set Max Attempts = 50+ | Simulate no limits while maintaining logging |
Safety measures:
- Document the business justification
- Set calendar reminder to re-enable immediately after testing
- Monitor for any unusual authentication patterns
- Verify no production traffic can reach the test environment
⚠️ Re-enable immediately: Leaving protection disabled increases exposure to credential stuffing, account takeover, and service disruption attacks