Hello , i want to temporary (about 30 minutes) lock the user who failed to sign in 5 times . How can i achieve it?
After changing Brute Force Detection configuration from Security Defenses it is not working properly
Could you help me? How can i change configuration?
That functionality is supported by Brute Force Detection. Can you share your configuration (or just take a screenshot of your admin page in “Realm Settings”->“Security Defenses”->“Brute Force Detection”)?
Here is my configuration , but it locks the user after 2 fail login and in that case how can i show a custom message in login form
You’re getting a lock after 2 failed logins because you have “Quick Login Check Milli Seconds” set to 20 seconds. It is defined as “Minimum time required between login attempts”. That means any login within 20 seconds of another will trigger a lock. I would recommend setting this to something like 1-2 seconds.
Regarding a custom message, I don’t know if you can do it, as Keycloak defaults to showing the default “Invalid username or password” message because:
When user is temporarily locked and attempt to login, the default error message
Invalid username or passwordis shown. This is the same error message as the message displayed when invalid username or invalid password is provided. This is by design as we do not want to reveal to the attacker that user is temporarily disabled.
1 Like
Refer my answer for custom message,