Brute Force Detection temporary lock user

Hello , i want to temporary (about 30 minutes) lock the user who failed to sign in 5 times . How can i achieve it?
After changing Brute Force Detection configuration from Security Defenses it is not working properly
Could you help me? How can i change configuration?

That functionality is supported by Brute Force Detection. Can you share your configuration (or just take a screenshot of your admin page in “Realm Settings”->“Security Defenses”->“Brute Force Detection”)?

Here is my configuration , but it locks the user after 2 fail login and in that case how can i show a custom message in login form

You’re getting a lock after 2 failed logins because you have “Quick Login Check Milli Seconds” set to 20 seconds. It is defined as “Minimum time required between login attempts”. That means any login within 20 seconds of another will trigger a lock. I would recommend setting this to something like 1-2 seconds.

Regarding a custom message, I don’t know if you can do it, as Keycloak defaults to showing the default “Invalid username or password” message because:

When user is temporarily locked and attempt to login, the default error message Invalid username or password is shown. This is the same error message as the message displayed when invalid username or invalid password is provided. This is by design as we do not want to reveal to the attacker that user is temporarily disabled.

1 Like

Refer my answer for custom message,