Let the Countdown begin when the account is locked!

Customizing the login page to implement a countdown for the locked users in WSO2 Identity Server.

Enabling the Account Locking due to Failed Login Attempts feature helps prevent brute-forcing for user credentials for an account. However, implementing a security feature always impacts the legit user’s user experience and is indispensable to maintain user-friendliness. With the context of maintaining the balance between ease of use and the security measure, this blog demonstrates implementing a customization to run a countdown for when the account will be unlocked for the locked user account.

Step 1: deployment.toml

Add the configuration below in deployment.toml file to return the error reason.

However, enabling this may lead to user enumeration vulnerability, since this will usually return 3 main types of error codes listed below.

  • Invalid User (17001)
  • Invalid credentials (17002)
  • Account Lock (17003)

We’ll only be using the error code: 17003 in this customization. Brute-forcing the password for a single account (17002) can be prevented by enabling the reCaptcha feature. However, enumerating the username (17001) should be handled externally such as using WAF (As similar to handling DOS/ DDOS at WAF level).

Step 2: Enable Account Locking due to Failed Login Attempts

Enable account locking by Navigating to Identity ProviderLogin Attempts SecurityAccount Lock and enable Lock user accounts in the management console (https://localhost:9443/carbon).

Step 3: Customized retry.jsp

With the changes above, if a user tries to login when the user account is locked, the user will be redirected to retry.do (retry.jsp) page with the additional parameters indicated below.

We’ll be using the above parameters to retrieve the account-lock related user information required for the countdown implementation in retry.jsp. If you haven’t made any changes to the default retry.jsp resides in the authentication endpoint, you can just replace the retry.jsp file with the updated-retry.jsp provided below in <IS_HOME>/repository/deployment/server/webapps/authenticationendpoin directory.

If you’ve already made any customizations in the retry.jsp, let’s move on to Step 3.1 to implement the countdown on top of the existing customizations.

Step 3.1: Customizing the Authentication Endpoint (retry.jsp)

  1. Import the packages below.

2. Add the code snippet below.

3. Find the div element below.

4. Replace the above with the element provided below.

5. Add the script provided below.

That’s it! Let’s test by simply accessing the MyAccount or User-Portal and provide the invalid credentials until it reaches the maximum failed login attempts configured in the account locking settings (Default: 5).

This customization is gently tested with,

  • IS Version: 5.10 and 5.11
  • Single-Tenant and Multi-Tenancy environments

Find this on my blog!

Cheers!

--

--

Senior Software Engineer at WSO2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store