Brute-force protection
A brute-force attack is an attack when an intruder tries to get access to the system by submitting many passwords, with the hope of guessing one correctly.
The brute-force protection mechanism of the platform is based on device cookies.
The settings for brute-force protection that are used in the platform are pre-defined:
| Parameter | Entering the password | Entering the TOTP code |
|---|---|---|
| Attempt limit | 10 | 5 |
| Attempt limit period (the limit is reset after timeout) | 15 min (900 sec) | 15 min (900 sec) |
| Lockout happens on | Attempt limit + 1 (11th attempt) | Attempt limit |
| Lockout period | 5 min (300 sec) | 5 min (300 sec) |
If you have enabled two-factor authentication, a device cookie is issued to a client (browser) only after successful authentication using both factors (password and TOTP code).
For trusted browsers, the device cookie is issued after successful authentication using only one factor (password).
The TOTP code entering attempts are registered per user, not per device. This means that even if a user attempts to enter the TOTP code by using different devices, they will still be blocked out.