WSO2 Identity Server can be configured to lock a user account when a number of consecutive failed login attempts are exceeded. The following section explains how to configure this.
From 5.3.0 onwards there is a new implementation for identity management features. The steps given below in this document follows the new implemenation which is the recommended approach for account locking by failed login attempts.
Alternatively, to see steps on how to enable this identity management feature using the old implementation, see User Account Locking and Account Disabling documentation in WSO2 IS 5.2.0. The old implementation has been retained within the WSO2 IS pack for backward compatitbility and can still be used if required.
- Configure WSO2 IS for account locking by following the instructions given in the Account Locking topic.
Start the WSO2 IS and log into the management console using your tenant credentials.
Alternatively, you can also use the
IdentityGovernanceAdminServiceSOAP service to do this instead of using the management console UI. See Calling Admin Services for more information on how to invoke this SOAP service.
If you are using the SOAP service to configure this, you do not need to follow the steps given below this note.
- Click Resident under Identity Providers found in the Main tab.
- Expand the Login Policies tab.
Expand the Account Locking tab and enter the relevant configurations for your tenant. Click Update to save changes.
Maximum Failed Login Attempts
This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. If the value you enter is 2, the account is locked if the login attempt fails twice.
Lock Timeout Increment Factor
When a user exceeds the limit specified for Maximum Failed Login Attempts, the account is locked for 5 minutes, which is the time specified in Account Unlock Time. If the user attempts to log in again with invalid credentials, and the account gets locked, the wait time is 7 minutes (i.e., the Account Unlock Time in addition to the Lock Timeout increment Factor). In the event that the account gets locked again, the wait time is 9 minutes as this is incremented by the Lock Timeout Increment Factor again.
Account Unlock Time
The time specified here is in minutes. According to the values in the screenshot above, the account is locked for 5 minutes after the user's second failed attempt and authentication can be attempted once this time has passed.
Account Lock Enabled
This enables locking the account when authentication fails.
If you want to configure different settings for another tenant, log out and follow the same steps to configure these properties for the other tenants.
Configuring WSO2 IS for automatic account unlock
The WSO2 IS can be configured to automatically unlock a user account after a certain period of time. A user account locked by failed login attempts can be unlocked by setting a lock timeout period.
Authentication.Policy.Account.Lock.Timeproperty in the
<IS_HOME>/repository/conf/identity/identity-mgt.propertiesfile. As mentioned in the above table, the value refers to the number of minutes that the account is locked for, after which, authentication can be attempted again.
If the lock time is set to 0, the account has to be unlocked by an admin user. For more information about this, see Account locking for a particular user.