Account lockout is a new feature of Safewhere Identify, starting from version 5.5, to defend against brute-force attack.
According to OWASP:
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack.
An attacker can always discover a password through a brute-force attack, but the downside is that it could take years to find it. Depending on the password's length and complexity, there could be trillions of possible combinations. To speed things up a bit, a brute-force attack could start with dictionary words or slightly modified dictionary words because most people will use those rather than a completely random password. These attacks are called dictionary attacks or hybrid brute-force attacks. Brute-force attacks put user accounts at risk and flood your site with unnecessary traffic.
Locking accounts is the most used method against brute-force attack, but it comes with its own problems as stated by OWASP:
The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator. However, account lockout is not always the best solution, because someone could easily abuse the security measure and lock out hundreds of user accounts. In fact, some Web sites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking customer accounts.
This means that while locking out accounts is good for security, it potentially has some usability drawbacks. Since version 5.5 onward, we will gradually add account lockout and auto-unlock supports for more functionality that is vulnerable to brute-force password attack.
OAuth Resource Owner Password Flow
When an account reaches the maximum number of login attempts to get a token using OAuth Resource Owner Password flow, the account will be locked out. When an account is locked out, even if correct credentials are provided after that, Identify still rejects token requests and log event ID 8000. In version 5.5, we hard coded the maximum number of login attempts to 10 times and lock-out duration to 1 hour.
Event id 8000:
In the next version, we will add support to System Setup for specifying the maximum allowed attempts and lockout duration.
Username & password account lockout
Username & Password login has supported account lockout for long, but we now add support for auto-unlock. The new “Account lockout duration (seconds)” setting found on Username and password authentication connection specifies the number of seconds that users must wait before their accounts are unlocked. A zero value means the locked accounts will get unlocked next 24 hours.
- Identify Admin
- Safewhere Admin
When an account is locked out, even if correct credentials are provided after that, Identify still rejects the login attempt and inform the user about when it will be unlocked. Using a small enough duration can not only prevent brute-force attack but also make it possible for users to wait until their accounts get unlocked instead of contacting help desk, and thus reduce support cost.
Note about error message: we always count up time, which means if a user ends up at this page and
- locking time is less than 1 hour, we will report in minutes.
- locking time is less than 1 minute, we will report in 1 minute. Message looks like "Your account is temporarily locked out and will be automatically unlocked after 1 minute..."
- locking time is 1 minute plus some seconds. Message looks like "Your account is temporarily locked out and will be automatically unlocked after 2 minutes..."
- locking time is equal or greater than 1 hour, we will report in hours.
- if locking time is 1 hour and 1 minute, we will report 2 hours. Message looks like "Your account is temporarily locked out and will be automatically unlocked after 2 hours..."