[keycloak-user] Is Brute Force Detection Extensible or can be Customized?
Bruno Oliveira
bruno at abstractj.org
Mon Jan 16 04:29:51 EST 2017
On 2017-01-13, Deepu Laghuvaram wrote:
> Our current functionality is that if the user provides wrong password for 5
> times or more then we want to display on the login page itself that the
> user is locked out and they have to reset the password (User is Locked
> until they reset password) I am trying to achieve the same functionality in
> KeyCloak. Is it possible?
I don't think it's possible today. By doing that you would be creating a
loophole for login. If you displaythat user is locked out,
attackers could verify that such user exists. See User enumeration
details[1].
>
> And as of now the failed login attempts count is in our Database and I want
> to make Brute Force Detection to be based on the failed login attempts from
> my database and update the failed login attempts to my DB, basically
> combining Brute Force Detection and Custom UserStorageProvider to achieve
> both the functionalities?
I never tried that and not sure if it's possible. But store failed
attempts into the database, depending on the volume of your requests,
can be a bit slow.
[1] - https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)
>
>
> Thanks,
> Deepu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
More information about the keycloak-user
mailing list