Account Blocking Policy

It is a common thing to block users when a number of failed login attempts are made. This behaviour will also help to secure your users from slow brute-force attacks.

It is a common thing to block users when a number of failed login attempts are made. This behaviour will also help to secure your users from slow brute-force attacks.

It is easy to make multiple attempts from different IPs with today's technology or tools. In this case, Brute-Force Protection remains insufficient to protect your users' accounts. While brute-force protection prevents attempts from single source (IP), this policy will count failed attempts from all sources.

To customize account blocking policy, go to Dashboard > Security and expand the Account Blocking Policy section.

Configuration

FieldDescription
Send NotificationIf this is enabled, your users will receive an email informing them that their account is blocked. Blocked Account template will be used for this email.
Allow User UnblockIf this is enabled, your users could unblock their accounts by resetting their passwords with the link received in the email.
Reset Attempts After Successful LoginIf this is enabled, the failed login counter will be reset when user successfully logs in
AttemptsAttempt count for when to block user account
DurationAttempts will be counted for the specified seconds.
Block DurationHow many seconds should PlusAuth block the IP for the specified user.

For example, with following configuration

Send Notification = true
Allow User Unblock = true
Attempts = 50
Duration = 86400 (1 day in seconds)
Block Duration = 31540000(1 year in seconds)

if a user fails to login to their account 50 times (Attempts) in a day (Duration), their account will be blocked for 1 year (Block Duration), and they will receive configured Blocked Account email.

Blocked accounts could be unblocked anytime by administrators with Management API or dashboard.