We have set some values for these system properties under Settings:
- Maximum authentication attempts before locking user = 2
- Failed login attempts checking period (minutes) = 10
However they don't seem to work. Even if we input incorrect password 3 times within 10 minutes, they user does not get locked out.
IDP is enabled and the above behavior is controlled by its settings:
Identity Service > Brute-force Protection >
- Period for failed login tracking (minutes)
- User lockout threshold (attempts)
- User lockout period (minutes)
You may find more information about it in our documentation:
Note: Even if a user is locked, you might still be getting an "Invalid username or password." error.
Quote from https://www.keycloak.org/docs/latest/server_admin/ :
Brute-force protection settings can be pronounced not working only if a user can still successfully log in to CP after 10 unsuccessful attempts made within a 10 minutes period (provided your settings are as in the above example).
Make sure that IDP settings satisfy your requirements.
Make sure you understand the definition of "locked", see Note above.