[keycloak-dev] Idea for brute force protection

Stian Thorgersen stian at redhat.com
Fri Mar 28 09:33:47 EDT 2014


While working on audit an idea popped into my head. What about if after N failed attempts we disable the users account, then send an email to the user saying something like:

------------

We have recently detected a number of failed login attempts to your account:

  * 28/03/2014 14:27 from 80.129.51.201
  * 28/03/2014 14:26 from 80.129.51.201
  * 28/03/2014 14:25 from 80.129.51.201
  * 28/03/2014 14:24 from 80.129.51.201

To prevent unauthorized access to your account it has been disabled. To enable your account click on the following link (or contact an admin):

http://localhost:8080/auth/rest/realms/tokens/auth/request/login-actions/verify-account?key=a3240r9je908rjgf3984jncs9d8ajvc9834hf983434tf34t34

------------

We could have a drop-down under realm settings to select the 'brute force' protection policy, from one of:

* Sleep - sleep for N seconds on login (increased for each attempt)
* Temporary disable - disable login for the account until some time in the future (may also send an email to user to indicate this)
* User can re-enable - the proposal from above
* Admin can re-enable - similar to above, but the email is sent to an admin instead of the user




More information about the keycloak-dev mailing list