This documentation is for WSO2 Identity Server 5.4.0. View documentation for the latest release.
Configuring reCaptcha for Password Recovery Flow - Identity Server 5.4.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata
This topic guides you through configuring reCaptcha for secret questions in the password recovery flow. By configuring reCaptcha, you can mitigate or block brute force attacks.
  1. Set up reCaptcha with the WSO2 Identity Server. For instructions on how to do this and more information about reCaptcha, see Setting Up ReCaptcha.
  2. Start the WSO2 IS Server and login to the management console. 
  3. Click Resident under Identity Providers found in the Main tab.
  4. Expand the Account Management Policies tab and then expand the Account Recovery tab. 
  5. Select Enable reCaptcha for Security Question Based Password Recovery to enable reCaptcha for account recovery. 

  6. Configure the Max Failed Attempts for ReCaptcha.

    Note: This value should be less than the number of failed attempts configured in the account locking connector.

  7. You have now successfully configured reCaptcha for the password recovery with secret questions flow. The reCaptcha will be prompted if the user reaches the limit of max failed attempts when providing an answer to a secret question. For instance, since the Max Failed Attempts for ReCaptcha was configured as 2 above, if the user answers a question incorrectly twice, the reCaptcha will be prompted as seen in the window below. 
  • No labels