[keycloak-dev] Idea for brute force protection
Stian Thorgersen
stian at redhat.com
Fri Mar 28 09:33:47 EDT 2014
While working on audit an idea popped into my head. What about if after N failed attempts we disable the users account, then send an email to the user saying something like:
------------
We have recently detected a number of failed login attempts to your account:
* 28/03/2014 14:27 from 80.129.51.201
* 28/03/2014 14:26 from 80.129.51.201
* 28/03/2014 14:25 from 80.129.51.201
* 28/03/2014 14:24 from 80.129.51.201
To prevent unauthorized access to your account it has been disabled. To enable your account click on the following link (or contact an admin):
http://localhost:8080/auth/rest/realms/tokens/auth/request/login-actions/verify-account?key=a3240r9je908rjgf3984jncs9d8ajvc9834hf983434tf34t34
------------
We could have a drop-down under realm settings to select the 'brute force' protection policy, from one of:
* Sleep - sleep for N seconds on login (increased for each attempt)
* Temporary disable - disable login for the account until some time in the future (may also send an email to user to indicate this)
* User can re-enable - the proposal from above
* Admin can re-enable - similar to above, but the email is sent to an admin instead of the user
More information about the keycloak-dev
mailing list