Attack Protection

User Attack Protection provides a comprehensive security layer to safeguard user accounts from malicious activities, such as brute force attacks, bot intrusions, and unauthorized access attempts. Various security features enhance authentication processes' integrity and minimize potential threats.

Key Features

• Brute Force Protection

  Brute Force Lockout allows you to restrict account access based on the number of failed logins OR reset passwords by token/OTP attempts. If a user enters incorrect credentials ( username and password) in the Login API OR enters the incorrect token/ OTP and reaches the threshold limit set in the Admin Console, a Brute Force Lockout action will be triggered for further API calls.

• Breached Password Protection

  To enhance security, the system detects and prevents the usage of compromised passwords. If users' credentials are found in known breached password lists, the system prompts them to reset their password, ensuring higher account safety.

• Bot Protection

  Bot Protection adds an extra layer of security by dynamically triggering CAPTCHA challenges at various authentication stages. You can configure this by selecting multiple APIs in the Admin Console under the "Bot Protection Allowed On APIs" settings. This measure helps prevent automated bot attacks on user authentication flows.

• Domain Access Management

  Control registration access by whitelisting/blacklisting domain names and email IDs. This feature enables organizations to restrict access to certain users based on their domain, reducing the risk of unauthorized registrations and fraudulent account creation.

Use Cases

• Preventing Unauthorized Access Attempts

  Brute force protection ensures that if an attacker tries to guess a password through repeated attempts, the account gets locked after a defined threshold, mitigating unauthorized access.

• Protecting Users from Credential Stuffing Attacks

  Breached password protection ensures that users do not use compromised passwords, which attackers could exploit using credential-stuffing techniques.

• Blocking Automated Bot Attacks

  Bot protection prevents malicious automated scripts from bypassing authentication processes, ensuring that only legitimate users can gain access.

• Restricting Access Based on Organizational Policies

  Domain access management allows enterprises to restrict sign-ups to specific domains (e.g., corporate emails only), preventing unauthorized or fraudulent registrations.

By leveraging these security measures, User Attack Protection strengthens authentication mechanisms, reduces security risks, and enhances overall user account security.

Configuration

Brute Force Lockout

Brute Force Lockout prevents unauthorized access by restricting account access after multiple failed login or password reset attempts. If a user exceeds the threshold set in the Admin Console, their account may be locked, suspended, or challenged with CAPTCHA or security questions, depending on the selected lockout type. The system then updates the user's profile with the lockout status.

Configuration Steps:

1. Navigate to Brute Force Lockout in the Admin console.
2. Set the threshold for failed login attempts.
3. Define the lockout type and duration.
4. Save the settings.

This section provides detailed information on Brute Force Lockout customization and configuration.

Breached Password Protection

This feature prevents users from using passwords exposed in known data breaches, ensuring account security and providing an added layer of protection for your account.

Configuration Steps:

1. Go to Breached Password Protection in the Admin Console.
2. Enable breached password protection.
3. Select events to trigger checks (e.g., login, registration, password change).
4. Choose actions (e.g., notify user, prompt password change, record breach).
5. Enter admin email(s) for breach alerts.
6. Save changes.

This document provides detailed information on Breached Password Protection customization and configuration.

Bot Protection

Bot Protection prevents automated attacks by integrating CAPTCHA mechanisms and blocking suspicious login attempts.

Configuration Steps:

1. Navigate to Bot Protection in the Admin Console.
2. Enable CAPTCHA for login and registration forms.
3. Choose between Google reCAPTCHA, Tencent CAPTCHA, or hCaptcha.
4. Save the settings.

This document provides detailed information on Bot Protection customization and configuration.

Domain Access Management

Domain Access Management helps prevent registrations from spam or disposable emails, allowing control over which users can access your app based on their email addresses.

Configuration Steps:

1. Navigate to Domain Access Management
2. Select the Access Type to either Whitelist or Blacklist a set of email addresses or domains.
3. Add the email addresses, e.g., [email protected], or domains, e.g., somedomain.com, under Configuration to define the criteria for your whitelist or blacklist.

Brute Force Lockout

Brute Force Lockout helps secure user accounts by limiting access after several failed login or password reset attempts via token or OTP. When a user repeatedly submits incorrect credentials in the Login API or invalid tokens/OTPs in the Reset Password by Token/OTP API and crosses the configured threshold, LoginRadius triggers a lockout response.

You can configure the lockout threshold in the Admin Console under the Brute Force Lockout Threshold setting.

How It Works

• Set a Threshold: Define the maximum number of failed login and password reset API attempts.

• Trigger a Lockout Action: The selected Lockout Type is applied once the threshold is reached.

• Track Lockout on User Profile: The following fields are updated in the user profile:

  • IsLoginLocked: Set to true

  • LoginLockedType: Stores the type of lockout applied

Lockout Types

The available lockout types and their behaviors are described below:

Lockout Types

Lockout Type	Description	Requirements	API Response
Suspend	Temporarily restricts the user from logging in for a defined duration. You can configure the lockout duration using the Suspend Effective Period setting in the Admin Console.	Lockout Type "Suspend" must be configured in the Admin Console.Note: IsLoginLocked will be updated to true, but LoginLockedType remains unchanged.	{ "Description":"Your account has been locked, please try again after sometime.", "ErrorCode":1198, "Message":"Your account has been locked", "IsProviderError":false, "ProviderErrorResponse":null, "Data":{"LoginLockedTimeout":"2018-10-11T21:40:44.875Z"} }
Captcha	Prompts the user to complete a CAPTCHA challenge. For API logins, pass g-recaptcha-response (reCAPTCHA V2) or qq_captcha_ticket and qq_captcha_randstr (Tencent Captcha).	Google reCAPTCHA V2 or Tencent CAPTCHA must be configured in the Admin Console.	{ "Description": "Your account has been locked, please enter reCAPTCHA in order to login.", "ErrorCode": 1132, "Message": "Your account has been locked, please enter reCAPTCHA in order to login", "IsProviderError": false, "ProviderErrorResponse": null }
SecurityQuestion	Prompts the user to answer a configured security question. For API logins, pass the answer in the securityanswer field.	At least one security question must be configured in the Admin Console, and the user must have a saved answer.	{ "Description": "Your account has been locked, please enter the answer to the security question in order to login.", "ErrorCode": 1148, "Message": "Your account has been locked", "IsProviderError": false, "ProviderErrorResponse": null }
Block	Prevents login until unblocked by an administrator.Blocked users can be unblocked via Admin Console or by setting "isActive": true using the Account Update API.	Lockout Type "Block" must be selected in the Admin Console.	{ "Description": "Your account has been blocked by the system admin, please contact the admin for more information.", "ErrorCode": 991, "Message": "Your account is blocked", "IsProviderError": false, "ProviderErrorResponse": null }

Related Resources

• MFA Guide
• Risk-based/Adaptive Authentication
• Password Management