It is a common thing to block users when a number of failed login attempts are made. This behaviour will also help to secure your users from slow brute-force attacks.
It is easy to make multiple attempts from different IPs with today's technology or tools. In this case, Brute-Force Protection remains insufficient to protect your users' accounts. While brute-force protection prevents attempts from single source (IP), this policy will count failed attempts from all sources.
To customize account blocking policy, go to Dashboard > Security and navigate to Account Blocking Policy.
Configuration
| Field | Description |
|---|---|
| Send Notification | If this is enabled, your users will receive an email informing them that their account is blocked. Blocked Account template will be used for this email. |
| Allow User Unblock | If this is enabled, your users could unblock their accounts by resetting their passwords with the link received in the email. |
| Reset Attempts After Successful Login | If this is enabled, the failed login counter will be reset when user successfully logs in |
| Attempts | Attempt count for when to block user account |
| Duration | Attempts will be counted for the specified seconds. |
| Block Duration | How many seconds should PlusAuth block the IP for the specified user. |
For example, with following configuration
Send Notification = true
Allow User Unblock = true
Attempts = 50
Duration = 86400 (1 day in seconds)
Block Duration = 31540000(1 year in seconds)if a user fails to login to their account 50 times (Attempts) in a day (Duration), their account will be blocked for 1 year (Block Duration), and they will receive configured Blocked Account email.
Blocked accounts could be unblocked anytime by administrators with Management API or dashboard.