17.16. How to mitigate brute force and lock tokens

For each failed authentication attempt privacyIDEA will increase a fail counter of a token. If the maximum allowed fail counter is reached, authentication with this token is not possible anymore. The token get a timestamp mark, when the maximum fail counter was reached. Starting with version 2.20 the administrator can define a timeout in minutes. If this timestamp is more than these specified minutes ago, an authentication attempt with a correct PIN will reset the fail counter. See Automatically clearing Failcounter.

The failcounter avoids brute force attacks which guess passwords or OTP values. Choose a failcounter clearing timeout, which is not too long. Otherwise brute force would also lock the token of the user forever.

Another possibility to mitigate brute force is to define an authorization policy with the action auth_max_fail. This will check, if there are too many failed authentication requests during the specified time period. If there are, even a successful authentication will fail. This technique uses the audit log, to search for failed authentication requests. See auth_max_fail.