search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
727 stars 713 forks source link

Adaptive Authentication - MFA based on login attempts #19768

Open PRO-GUNE opened 4 months ago

PRO-GUNE commented 4 months ago

Tried to implement MFA based on login attempts based on this documentation but was not able to successfully add that functionality. Even after exceeding the threshold of incorrect logins (i.e. 3 incorrect logins) The next successful login would by pass the additional Authenticator app step and successfully log the user in.

After a few discussions with @Thumimku figured out that it works after you activate the account locking from login attempts. This should be stated in the documentation to get correct functionality

IS Version - WSO2 IS 7.0.0 RC2

Improvement State that account locking should be enabled for the MFA based on login attempts to work correctly

Additional context There is another issue with this approach as it binds the account locking and MFA based on login attempts functionalities. A user that may require just one of these will not be able to implement it.

Thumimku commented 4 months ago

In previous IS versions, we had this as Prerequisite https://is.docs.wso2.com/en/6.0.0/guides/adaptive-auth/login-attempts-based-adaptive-auth/#prerequisites