When a user fails to authenticate with proper credentials, safeguards ensure that repeated failed attempts to authenticate have repercussions to mitigate automated attempts to gain unauthorized access to the system.
Two security measures that impact the impact of behavior of one another are excessive login attempts and lockout policies. Excessive login attempts and lockout policies are primarily involved in Pega Platform authentication, such as in PRServlet and the basic credentials authentication service. These policies typically do not apply to other types of PRAuth authentication.
You can apply the following security measures to respond to failed login attempts:
- Excessive login attempts
- When the number of login attempts exceeds a specific number of attempts, the
system presents the user with an error page. The default value is
3, and you can adjust this value by editing
the authentication/maxLoginAttemptsCount dynamic system
setting. If a user tries to log in three times in succession, regardless of
the user name that they enter, the excessive login attempt failure protocol
Note: The excessive login attempt count is maintained on a session (or requestor) basis. If the user fails to log in on the first try, and closes and reopens their browser, then the next login attempt is considered the first attempt because the system creates a new session after a browser restart.
- Lockout policies
- When you enable these settings, after a number of login failures that you
define, lockout policies cause a response delay. Additionally, the delay
increases with each successive failed login. The lockout penalty (response
delay) occurs when the lockout limit (number of failed attempts) has been
You configure these settings on the Security policies landing page. Note: This policy is linked to a specific user name, not the session, as is the case with the excessive login attempts algorithm. Even after exceeding the number of login attempts that is specified in this policy, if a different user name is used in each attempt, no delay occurs.
Login failure responses
Login failures use either different or the same user names on each attempt.
If the user enters a different user name on each attempt, no delay occurs, and after any number of failed attempts, the login failure response is displayed, as shown in the following figure:
If the user enters the same user name on each attempt, the following behavior occurs:
Login failure responses to attempts with the same user name
|3 failed attempts||Error page|
|6 failed attempts||Error page|
|9 failed attempts||Error page|
|10 failed attempts||Initial delay on the eleventh attempt|
|12 failed attempts||Incremental delay, followed by error page|
|13 failed attempts||Delay (even though new session is established)|
The following figure shows the error page response: