When a user fails to authenticate with proper credentials, safeguards ensure that repeated failed attempts to authenticate have repercussions to mitigate automated attempts to gain unauthorized access to the system.
Two security measures that impact the impact of behavior of one another are excessive login attempts and lockout policies. Excessive login attempts and lockout policies are primarily involved in Pega Platform authentication, such as in PRServlet and the basic credentials authentication service. These policies typically do not apply to other types of PRAuth authentication.
You can apply the following security measures to respond to failed login attempts:
- Excessive login attempts
- When the number of login attempts exceeds a specific number of attempts, the system presents the user with an error page. The default value is 3, and you can adjust this value by editing the authentication/maxLoginAttemptsCount dynamic system setting. If a user tries to log in three times in succession, regardless of the user name that they enter, the excessive login attempt failure protocol is enforced.
- Lockout policies
- When you enable these settings, after a number of login failures that you define, lockout policies cause a response delay. Additionally, the delay increases with each successive failed login. The lockout penalty (response delay) occurs when the lockout limit (number of failed attempts) has been exceeded. You configure these settings on the Security policies landing page.
Login failure responses
Login failures use either different or the same user names on each attempt.
If the user enters a different user name on each attempt, no delay occurs, and after any number of failed attempts, the login failure response is displayed, as shown in the following figure:
If the user enters the same user name on each attempt, the following behavior occurs:
Login failure responses to attempts with the same user name
|3 failed attempts||Error page|
|6 failed attempts||Error page|
|9 failed attempts||Error page|
|10 failed attempts||Initial delay on the eleventh attempt|
|12 failed attempts||Incremental delay, followed by error page|
|13 failed attempts||Delay (even though new session is established)|
The following figure shows the error page response: