Symptoms
We have set some values for these system properties under Settings:
- Maximum authentication attempts before locking user = 2
- Failed login attempts checking period (minutes) = 10
However they don't seem to work. Even if we input incorrect password 3 times within 10 minutes, they user does not get locked out.
Cause
IDP is enabled and the above behavior is controlled by its settings:
Identity Service > Brute-force Protection >
- Period for failed login tracking (minutes)
- User lockout threshold (attempts)
- User lockout period (minutes)
Example:
You may find more information about it in our documentation:
Note: Even if a user is locked, you might still be getting an "Invalid username or password." error.
Quote from https://www.keycloak.org/docs/latest/server_admin/ :
This message is the same error message as the message displayed for an invalid username or invalid password to ensure the attacker is unaware the account is disabled.
Brute-force protection settings can be pronounced not working only if a user can still successfully log in to CP after 10 unsuccessful attempts made within a 10 minutes period (provided your settings are as in the above example).
Resolution
Make sure that IDP settings satisfy your requirements.
Make sure you understand the definition of "locked", see Note above.