It is a common thing to block users when a number of failed login attempts are made. This behaviour will also help to secure your users from slow brute-force attacks.
It is easy to make multiple attempts from different IPs with today's technology or tools. In this case, Brute-Force Protection remains insufficient to protect your users' accounts. While brute-force protection prevents attempts from single source (IP), this policy will count failed attempts from all sources.
To customize account blocking policy, go to Dashboard > Security and expand the Account Blocking Policy section.
Configuration
| Field | Description |
|---|---|
| Send Notification | If this is enabled, your users will receive an email informing them that their account is blocked. Blocked Account template will be used for this email. |
| Allow User Unblock | If this is enabled, your users could unblock their accounts by resetting their passwords with the link received in the email. |
| Reset Attempts After Successful Login | If this is enabled, the failed login counter will be reset when user successfully logs in |
| Attempts | Attempt count for when to block user account |
| Duration | Attempts will be counted for the specified seconds. |
| Block Duration | How many seconds should PlusAuth block the IP for the specified user. |
For example, with following configuration
Send Notification = trueAllow User Unblock = trueAttempts = 50Duration = 86400 (1 day in seconds)Block Duration = 31540000(1 year in seconds)If a user fails to log in to their account 50 times (Attempts) within a single day (Duration), their account will be blocked for 1 year (Block Duration). They will also receive the configured Blocked Account email.
Unblocking Users
Blocked accounts can be unblocked at any time by administrators via the Core API or the dashboard. To unblock a user from the dashboard, go to Dashboard > Users , open the user's details, and click the Unblock button.
Using the Core API, you can send an Update User request with the blocked property set to false.