Multiple login attacks protection

Last modified by Vincent Massol on 2021/04/06

A new Authentication Security Module has been integrated to prevent attacks on user accounts. This module allows to perform different strategies in case of repeated authentication failures.
For now two strategies are provided:
  - to ask user to answer a CAPTCHA challenge (default strategy)
  - to disable user account (in which case an administrator would have to activate it back)

The strategy is triggered whenever a user repeatedly failed to login in a given time window. The number of failed attempts and the duration of the time window are configurable in Administration > Authentication. Default values are 3 failed attempts in 5 minutes would trigger a CAPTCHA challenge for users.


Get Connected