[keycloak-dev] Idea for brute force protection
Bill Burke
bburke at redhat.com
Fri Mar 28 11:56:02 EDT 2014
Ok. I'm working on something now that does most of this minus the
email. Have had Resteasy work this week too though.
On 3/28/2014 9:33 AM, Stian Thorgersen wrote:
> While working on audit an idea popped into my head. What about if after N failed attempts we disable the users account, then send an email to the user saying something like:
>
> ------------
>
> We have recently detected a number of failed login attempts to your account:
>
> * 28/03/2014 14:27 from 80.129.51.201
> * 28/03/2014 14:26 from 80.129.51.201
> * 28/03/2014 14:25 from 80.129.51.201
> * 28/03/2014 14:24 from 80.129.51.201
>
> To prevent unauthorized access to your account it has been disabled. To enable your account click on the following link (or contact an admin):
>
> http://localhost:8080/auth/rest/realms/tokens/auth/request/login-actions/verify-account?key=a3240r9je908rjgf3984jncs9d8ajvc9834hf983434tf34t34
>
> ------------
>
> We could have a drop-down under realm settings to select the 'brute force' protection policy, from one of:
>
> * Sleep - sleep for N seconds on login (increased for each attempt)
> * Temporary disable - disable login for the account until some time in the future (may also send an email to user to indicate this)
> * User can re-enable - the proposal from above
> * Admin can re-enable - similar to above, but the email is sent to an admin instead of the user
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list