Brute force protection
Brute force attacks are among the oldest and simplest forms of authentication attacks. They involve trying all possible passwords or encryption keys to gain unauthorized access to a system, account, or data.
This attack method assumes that eventually, the correct password or key will be guessed through exhaustive attempts. Although brute force attacks can be time-consuming and resource-intensive, advancements in computational power have made certain types more feasible within reasonable timeframes.
To defend against brute force attacks, security measures like account lockouts, rate limiting, and strong, unique passwords are essential. Techniques like CAPTCHAs and multi-factor authentication (MFA) further enhance security, making systems more resilient to brute force attempts.
How it works
In Frontegg, you can configure how many incorrect attempts a user can make before a response is triggered. After a defined number of incorrect password attempts, you can choose to lock the user's account, preventing further access, even if the correct password is subsequently entered.
Prerequisites
Prerequisites
To use brute force protection, passwords must be enabled as an authentication method in your app.
Configuring brute force protection
Frontegg offers options for handling brute force attacks by either blocking or locking users.
- Set the Threshold: Define the maximum number of incorrect password attempts before a response is triggered.
- Choose Action: Decide whether you want to block further attempts or lock the user’s account after the threshold is reached.
User experience
When a user enters an incorrect password, they will see an error message. If they continue entering incorrect passwords, eventually hitting the threshold, their account will either remain accessible for further attempts or become locked, depending on your configuration.
Unlock account email
Prerequisites
Prerequisites
To enable the unlock account email feature, ensure you are using the following versions:
@frontegg/react@7.0.1
@frotegg/nextjs@9.0.1
@frontegg/angular@7.1.0
@frontegg/vue@4.0.1
If you enable the Send unlock account email option, users will receive an email allowing them to regain access to their accounts.
Unlock account and Unlock account success templates
Unlock account and Unlock account success templates
Once the Send unlock account email toggle is enabled, ensure that the Unlock account email template is also enabled. Go to [ENVIRONMENT] → Configurations → Authentication → Emails to activate it. You may also enable the Unlock account success email to inform users once their account has been successfully unlocked.
Notifying end users of brute force attacks
You can opt to notify users of potential brute force attacks on their account by selecting the Notify on brute force attacks checkbox.
Analyzing brute force events in your app
- Go to Analytics ➜ Security Events in the Frontegg portal to view instances of brute force attempts over time.
- To read more about Security Events, click here.