Brute-force protection, which safeguards against brute-force attacks that occur from a single IP Address and target a single user account, is enabled by default for all connections.
The brute-force protection shield is triggered when the following occurs:
10 consecutive failed login attempts for the same user originate from the same IP address.
When triggered, brute-force protection will:
Send an email to the affected user. (You can customize the email.)
Block the suspicious IP address for the user.
For example, if a user attempts to sign in from IP1 and consecutively fails to log in 10 times, then future login attempts for the user from IP1 will be blocked. Other users attempting to log in from IP1 will not be blocked.
If brute-force protection is triggered, it will be removed when:
the affected user clicks on the unblock link in the email notification (if configured).
the affected user changes their password.
an administrator removes the block.
You can configure brute-force protection in the following ways:
Enable/disable safeguarding against brute-force attacks that occur from a single IP address and target a single user account.
Configure a list of trusted IP addresses from which users can access your resources.
Enable/disable whether to notify users by email when their account has been blocked.
Because brute-force protection depends on the IP address of the user, the following use cases require additional configuration:
Using the Resource Owner Password Grant from the backend of the application: Using this call does not get the IP address of the user; however, to make brute-force protection work correctly, you can configure your application and send the IP address of the user as part of the request.
Authenticating a large number of users from the same IP address: Users who are behind a proxy area more likely to reach set limits and trigger brute-force protection.