Failed factor attempts in public self-services

In order to mitigate attacks on public self-service flows, all failures of steps including an authentication factor (email, password, etc). are counted for the user. The user account is locked if the configured threshold is reached.

The threshold is defined in
Loginapp >> Public Self-Service Flows >> Max Failed Factor Attempts.

Note that the threshold and the counter are not defined per flow. Failed attempts on a factor in one flow, therefore, influence the usage of all flows.

The failed factor counters can be viewed and reset in the Adminapp's user management section by locking and then unlocking the user.

Example for password reset

Consider a password reset flow using the Email Identity Verification Step which involves email OTP as an authentication factor.

If the flow fails in the Email Identity Verification Step, the counter for the email OTP factor is increased. If the configured threshold Max Failed Factor Attempts is reached, the user account is locked.

Whether or not the user can still use the password reset flow now depends on the restrictions in the flow:

  • If using the Default Password Reset Restrictions the flow is not accessible to locked users unless explicitly allowed in the configuration.
  • If using Custom Public Self-Service Restrictions, using the Locked User Restriction limits flow usage to only non-locked user.