User Attack Protection

User Attack Protection provides a comprehensive security layer to safeguard user accounts from malicious activities, such as brute force attacks, bot intrusions, and unauthorized access attempts. Various security features enhance authentication processes' integrity and minimize potential threats.

• Brute Force Protection

  Brute Force Lockout allows you to restrict account access based on the number of failed logins OR reset passwords by token/OTP attempts. If a user enters incorrect credentials ( username and password) in the Login API OR enters the incorrect token/ OTP and reaches the threshold limit set in the Admin Console, a Brute Force Lockout action will be triggered for further API calls.

• Breached Password Protection

  To enhance security, the system detects and prevents the usage of compromised passwords. If users' credentials are found in known breached password lists, the system prompts them to reset their password, ensuring higher account safety.

• Bot Protection

  Bot Protection adds an extra layer of security by dynamically triggering CAPTCHA challenges at various authentication stages. You can configure this by selecting multiple APIs in the Admin Console under the "Bot Protection Allowed On APIs" settings. This measure helps prevent automated bot attacks on user authentication flows.

• Domain Access Management

  Control registration access by whitelisting/blacklisting domain names and email IDs. This feature enables organizations to restrict access to certain users based on their domain, reducing the risk of unauthorized registrations and fraudulent account creation.

• Preventing Unauthorized Access Attempts

  Brute force protection ensures that if an attacker tries to guess a password through repeated attempts, the account gets locked after a defined threshold, mitigating unauthorized access.

• Protecting Users from Credential Stuffing Attacks

  Breached password protection ensures that users do not use compromised passwords, which attackers could exploit using credential-stuffing techniques.

• Blocking Automated Bot Attacks

  Bot protection prevents malicious automated scripts from bypassing authentication processes, ensuring that only legitimate users can gain access.

• Restricting Access Based on Organizational Policies

  Domain access management allows enterprises to restrict sign-ups to specific domains (e.g., corporate emails only), preventing unauthorized or fraudulent registrations.

By leveraging these security measures, User Attack Protection strengthens authentication mechanisms, reduces security risks, and enhances overall user account security.

Brute Force Lockout

Brute Force Lockout prevents unauthorized access by restricting account access after multiple failed login or password reset attempts. If a user exceeds the threshold set in the Admin Console, their account may be locked, suspended, or challenged with CAPTCHA or security questions, depending on the selected lockout type. The system then updates the user's profile with the lockout status.

Configuration Steps:

1. Navigate to Brute Force Lockout in the Admin console.
2. Set the threshold for failed login attempts.
3. Define the lockout type and duration.
4. Save the settings.

This document provides detailed information on Brute Force Lockout customization and configuration.

Breached Password Protection

This feature prevents users from using passwords exposed in known data breaches, ensuring account security and providing an added layer of protection for your account.

Configuration Steps:

1. Go to Breached Password Protection in the Admin Console.
2. Enable breached password protection.
3. Select events to trigger checks (e.g., login, registration, password change).
4. Choose actions (e.g., notify user, prompt password change, record breach).
5. Enter admin email(s) for breach alerts.
6. Save changes.

This document provides detailed information on Breached Password Protection customization and configuration.

Bot Protection

Bot Protection prevents automated attacks by integrating CAPTCHA mechanisms and blocking suspicious login attempts.

Configuration Steps:

1. Navigate to Bot Protection in the Admin Console.
2. Enable CAPTCHA for login and registration forms.
3. Choose between Google reCAPTCHA, Tencent CAPTCHA, or hCaptcha.
4. Save the settings.

This document provides detailed information on Bot Protection customization and configuration.

Domain Access Management

Domain Access Management helps prevent registrations from spam or disposable emails, allowing control over which users can access your app based on their email addresses.

Configuration Steps:

1. Navigate to Domain Access Management
2. Select the Access Type to either Whitelist or Blacklist a set of email addresses or domains.
3. Add the email addresses, e.g., [email protected], or domains, e.g., somedomain.com, under Configuration to define the criteria for your whitelist or blacklist.

• MFA Guide
• Risk-based/Adaptive Authentication
• Password Management