Brute Force Detection issue: login failure count not resetting after successful login

vishnukprakash · October 14, 2019, 8:52am

When Brute Force Detection in enabled the login failure count is not resetting after successful login. As per the Permanent Lockout Algorithm described in keycloak documentation, the failure count should reset on successful login. It is described as follows in the documentation,

1) On successful login
    1. Reset count
2) On failed login
    1. Increment count
    2. If count greater than Max Login Failures
        1. Permanently disable user
    3. Else if time between this failure and the last failure is less than Quick Login Check Milli    Seconds
        1.Temporarily disable user for Minimum Quick Login Wait
When a user is disabled they can not login until an administrator enables the user; enabling an account resets count.

Can someone comment on this? Is it a bug or expected behaviour? Any help will be appreciated.

kahennig · April 14, 2021, 7:58pm

I am observing the same thing in a custom SPI Brute Force Protector I am implementing for Keycloak 11.0.3. The successfulLogin(…) method of the BruteForceProtector Interface I implement never gets called.
Where you able to figure this out?

tunglt1810 · May 27, 2021, 9:00am

Any new update here? Does we need a custom SPI to workaround

Topic		Replies	Views
Brute Force Detection failure count increments - Browser vs Direct grant authentication flow Getting advice authentication	1	599	November 22, 2021
Brute Force Detection temporary lock user Securing applications	4	6849	August 11, 2021
Unlock account on password reset Getting advice	3	3105	August 11, 2021
Brute Force Protection locks temporary locked users indefinite	1	1219	October 27, 2021
Keycloak temporary lockout algorithm - clarification	0	414	February 8, 2021

Brute Force Detection issue: login failure count not resetting after successful login

Related Topics