Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Authentication login failures

Updated on March 15, 2022

When a user fails to authenticate with proper credentials, safeguards ensure that repeated failed attempts to authenticate have repercussions to mitigate automated attempts to gain unauthorized access to the system.

Two security measures that impact the impact of behavior of one another are excessive login attempts and lockout policies. Excessive login attempts and lockout policies are primarily involved in Pega Platform authentication, such as in PRServlet and the basic credentials authentication service. These policies typically do not apply to other types of PRAuth authentication.

You can apply the following security measures to respond to failed login attempts:

Excessive login attempts
When the number of login attempts exceeds a specific number of attempts, the system presents the user with an error page. The default value is 3, and you can adjust this value by editing the authentication/maxLoginAttemptsCount dynamic system setting. If a user tries to log in three times in succession, regardless of the user name that they enter, the excessive login attempt failure protocol is enforced.
Note: The excessive login attempt count is maintained on a session (or requestor) basis. If the user fails to log in on the first try, and closes and reopens their browser, then the next login attempt is considered the first attempt because the system creates a new session after a browser restart.
Lockout policies
When you enable these settings, after a number of login failures that you define, lockout policies cause a response delay. Additionally, the delay increases with each successive failed login. The lockout penalty (response delay) occurs when the lockout limit (number of failed attempts) has been exceeded.
Note: This policy is linked to a specific user name, not the session, as is the case with the excessive login attempts algorithm. Even after exceeding the number of login attempts that is specified in this policy, if a different user name is used in each attempt, no delay occurs.
You configure these settings on the Security policies landing page.
For example: You can choose to not set the dynamic system setting for excessive login attempts, and use the default of three attempts instead. Additionally, you can configure the lockout policies to run after 10 failed login attempts. As a result, a failed login attempt refreshes the page and displays the login page along with a generic error message.

Login failure responses

Login failures use either different or the same user names on each attempt.

Note: The validity of the user name is irrelevant to the behavior of authentication security polices.

If the user enters a different user name on each attempt, no delay occurs, and after any number of failed attempts, the login failure response is displayed, as shown in the following figure:

Login failure response to attempts with different user names

The login failure response to an attempted login using different user names
The login failure response to an attempted login using different user names

If the user enters the same user name on each attempt, the following behavior occurs:

Login failure responses to attempts with the same user name

3 failed attemptsError page
6 failed attemptsError page
9 failed attemptsError page
10 failed attemptsInitial delay on the eleventh attempt
12 failed attemptsIncremental delay, followed by error page
13 failed attempts Delay (even though new session is established)

The following figure shows the error page response:

Authentication error page

The "Authentication failed" screen
The screen that is showed when Pega Authentication failed

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us