Security rules
Frontegg provides 8 built-in security defenses, each configurable with different actions when triggered. For example, you can allow inactive users to continue using your app but block them if they attempt to use a compromised password.
Actions for each defense
| Defense | Description | Allow | Challenge | Block | Lock |
|---|---|---|---|---|---|
| Let the user continue to your app | Require MFA verification; if successful, allow the user to continue | Prevent the user from logging in | Immediately lock the user | ||
| Bot detection | Identifies malicious bots to prevent security threats | ✓ | ✓ | ✓ | ✓ |
| New device | Analyzes device characteristics to detect potential security threats | ✓ | ✓ | ||
| Brute force protection | Detects repeated failed login attempts to prevent unauthorized access | ✓ | ✓ | ||
| Breached password | Blocks use of passwords known to be compromised in data breaches | ✓ | ✓ | ✓ | |
| Impossible travel | Detects logins from different locations within an unreasonably short timeframe | ✓ | ✓ | ✓ | |
| Suspicious IPs | Identifies suspicious IP activity, allowing detection or prevention of threats | ✓ | ✓ | ✓ | ✓ |
| Stale users | Deactivates inactive accounts to reduce security risks | ✓ | ✓ | ✓ | |
| Email credibility check | Allows only validated emails with good reputations at sign-up | ✓ | ✓ |
Configuring security rules
To modify policies for any defense that Frontegg offers, users with an Admin role in the Frontegg account can access and adjust settings from the Security Rules page within any environment.