Temporary locking is configured in the Authentication Flow of the Loginapp REST API configuration.
It is configured globally and then enabled or disabled in each authentication flow.
To configure it, go to:
Loginapp >> Authentication Flows >> Temporary Locking
The plugin Exponential Temporary Locking Strategy follows the same logic as the Temporary Locking Settings in Temporary locking configuration in the JSP-Loginapp.
Disabling temporary locking on an authentication flow only disables the enforced waiting times for the user on this flow.
The calculation of the waiting times considers all failed login attempts regardless if the flow has temporary locking enabled or not.
As a result, it is possible to create multiple successive failed logins on an authentication flow with temporary locking disable and then to wait for the full temporary locking time period on the next login attempt with an authentication flow that has temporary locking enabled.
To disable temporary locking on a flow, go to:
Loginapp >> Authentication Flows >> <some application> >> Authentication Flow and then uncheck Enable Temporary Locking.
The temporary locking settings should also be configured in the Adminapp:
Adminapp >> Users >> Locking Settings >> Temporary Locking (Loginapp REST API)
This configuration enables the proper handling of temporary locking information on the user detail page and in the Adminapp REST API.
Temporary locking and the prevention of user enumeration are mutually exclusive features.
With temporary locking enabled, it is possible to enumerate login names and aliases since the system response behavior clearly indicates if a given username/password combination exists but is incorrect or if it does not exist. Therefore, only either of the two features can be enabled at the same time.