I'm working on a project with KeyCloak where the requirement is after 5 incorrect login attempts from the user, the account needs to be suspended, and an email should be sent to the user to reactivate the account
So far I couldn't find this configuration, can you please tell me if it's possible? And if yes, where the option is?
Related
I did a lot of research on how to implement 2fa on my app.
My app will enforce every user to use 2fa (I will use OTP).
I think that in my app, (because every user will need to use 2fa, and I will use only OTP), I can have only 2 steps:
Log in the user providing username, password and OTP.
If step 1 is successful, authentication is done.
From all the sources I found, the 2fa steps are always the same:
log in the user providing username and password.
If step 1 is successful, ask the user for the OTP token.
If step 2 is successful, authentication is done.
In my head, if I have optional 2fa, or 2fa using SMS/email, then I must have the step in the middle (authenticate the user, send the SMS/email and wait for the code), but with OTP, I already have the code and I can provide it in the same login form with the username and the password.
I haven't seen this kind of 2fa with only 2 steps, am I missing something?
Both of your examples are the same.
In the First scenario, the server is waiting for the user to enter OTP and the same process follows in the second scenario.
These are distinct steps in 2FA authentication
The user sends their username and password to the server to be authenticated as usual
The server confirms the credentials are correct and asks for a second input from the user.
In this case it’s a one-time passcode (OTP)
The user provides the OTP, and the server finally authenticates the user
2FA
I am building an opencart 3.0.3.8 site. I have a problem with admin login. I have created 2 admin profiles say User 1 and User 2. The problem is its getting logged in to the User 1 account even if I logged in using user 2 credentials. I don't know if its a bug or some misconfiguration from my side. Requesting your inputs on possible ways to fix this.
I tried deleting the user 1 profile from db directly and it completely disabled admin login.
I can login using the User 1 credentials even if all users are disabled.
Error Message:- Invalid user or password or the account is blocked due to multiple failed login attempts. If so, it will be unblocked automatically in a short time.
I have installed Openproject in Ubuntu environment.
Today morning i updated the Openproject.
When i tried to login using my user name and password I got the above error message
The database is Postgresql.
I could able to login to db.
what is the solution to resolve this issue and i am want to unblock the account.
All the accounts, including admin account could not able to login.
Create a new username and password with admin rights in postgresql DB.
Grant admin rights to the user.
Login to the website using the new username and password.
GO to adminstration - Authentication -
check
AUTOMATED USER BLOCKING
Block user after this number of failed login attempts
--Give the input Zero - 0
It will allow the user to login any number of times if they fail.
thanks
I'm using Microsoft graph in my Android project to authenticate users.
I'm doing so via this method:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-android
after a successful login Microsoft remembers the user email, so next time when user is trying to login it will suggest to use a previously logged in account. If user chooses a previously used email, a password is not required.
Problem raises when we have a single device where multiple users need to login via Microsoft. In this case new user will see the email of previously logged users and can select their email and log into account without entering any password.
My question is how can I avoid this behavior and close the session after each login?
Thank you!
You can tell ADAL to request credentials again by switching PromptBehavior from Auto to Always:
// Perform authentication requests
mAuthContext.acquireToken(
getActivity(),
RESOURCE_ID,
CLIENT_ID,
REDIRECT_URI,
PromptBehavior.Always,
getAuthInteractiveCallback());
Is there a way to implement multi factor authentication in Shiro? Can somebody give me a hint on how to implement this?
For more details:
The basic idea is, that a user needs to login just as usual, using username and password, but before being actually authenticated the user also needs to enter a one-time-token he received as an SMS.
Thank you!
I finally solved my problem on my own, but I'm of course always open to other suggestions.
I implemented my own 2 - Factor Authentication Flow:
First of all I changed the URL of the login page, to which Shiro redirects an unauthenticated user to my own login page, that leads into the authentication mechanism.
A user needs to complete two "stages" to login.
On the first stage he/she has to provide a username and password, if
these are valid, the user is redirected to the second stage of login.
Meanwhile, a one time token has been generated and sent to the user
via SMS. Also the user's authentication progress has been saved in
the session (which means I remember, that stage 1 was completed
successfully).
On stage 2 the user needs to enter the token. If the
token was
not valid or the number of attempts (5) was exceeded
expired (after 5 minutes) the number of attempts
to correctly enter the token exceeded 4 the user will be redirected
to Stage 1 and all progress will be deleted. I
if everything went fine, the user will be authenticated to Shiro
(of course without letting him/her know)
In the end the user will be redirected to the page he/she originally requested, which still allows him/her to bookmark pages. Of course Shiro's remember-me will always be deactivated.