HomeAPI ReferenceSDKs
Guides
Help CenterSign up for Frontegg

Brute force protection

Suggest Edits

Brute force attacks are probably the oldest authentication attacks out there as they are very straightforward. A brute force attack entails attempting all possible passwords or encryption keys to gain unauthorized access to a system, account, or data.

This method relies on the assumption that eventually, the correct combination will be guessed due to the exhaustive nature of the attempt. Brute force attacks can be time-consuming and resource-intensive, especially when dealing with complex passwords or encryption keys. However, advancements in computational power and techniques have made certain brute force attacks more feasible within a reasonable timeframe.

To counter brute force attacks, security measures such as account lockouts, rate limiting, and the use of strong, unique passwords are recommended. Additionally, employing techniques like CAPTCHAs and multi-factor authentication can significantly enhance the security of systems and data, making them more resilient against this type of attack.

How it works

You can choose how many incorrect attempts a user can make before something happens to them. Of course, since the passwords are incorrect they never gain access to the app, but you can decide that after a certain number of incorrect tries, that user gets locked and can’t access their account (even with the correct password).

Prerequisites

In order to use Brute Force, you must be using passwords as an authentication method in your app.

Configuring Brute Force

For brute force protection you can choose whether to block or lock users.

  1. Choose how many incorrect password attempts trigger this
  2. Choose whether you want to lock this user after that many attempts or not


Your User's Experience

When a user enters an incorrect password, they will get an error. If they enter it a number of times (the number you defined), it will still be incorrect, but they will either be allowed to continue trying or have their account locked.

Unlock account email

🚧

Version prerequisites

To enables this feature, ensure you are using the following versions:

react v7.0.1
next v9.0.1
angular v7.1.0
vue v4.0.1

If you check the 'Send unlock account email' option, your users will receive an email allowing them to retrieve access to their accounts.

🚧

'Unlock account' and 'Unlock account success' templates

Once you enable the 'Send unlock account email' toggle in your configuration, you must ensure that the 'Unlock account' email template is also enabled. Go to the [Environment_name] > Emails tab to do so. Additionaly, you can enable the 'Unlock account success' email to notify your users that their account has been unlocked successfuly.

Notifying end users of brute force attacks

You can choose to notify users in case there's a brute force attack on their account by checking this checkbox.

Analyzing brute force in your app

Security Events

If you’re curious how many times breached passwords events happen in your app, you can see them over time, along with where they happened in Security Events.

Updated 3 months ago