Re: [keycloak-dev] Idea for brute force protection

While working on audit an idea popped into my head. What about if after N failed attempts we disable the users account, then send an email to the user saying something like: ------------ We have recently detected a number of failed login attempts to your account: * 28/03/2014 14:27 from 80.129.51.201 * 28/03/2014 14:26 from 80.129.51.201 * 28/03/2014 14:25 from 80.129.51.201 * 28/03/2014 14:24 from 80.129.51.201 To prevent unauthorized access to your account it has been disabled. To enable your account click on the following link (or contact an admin): http://localhost:8080/auth/rest/realms/tokens/auth/request/login-actions/... ------------ We could have a drop-down under realm settings to select the 'brute force' protection policy, from one of: * Sleep - sleep for N seconds on login (increased for each attempt) * Temporary disable - disable login for the account until some time in the future (may also send an email to user to indicate this) * User can re-enable - the proposal from above * Admin can re-enable - similar to above, but the email is sent to an admin instead of the user _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev