Reputation: 1117
How to test the lockout policy of azure ad b2c
We are using Azure AD B2C as the authentication provider for our project. One facility that we lack in AD B2C is locking of an account on multiple invalid login attempts. There seems to be an algorithm which will block login requests temporarily for a certain period of time but will be allowed to log in again after the time.
but also, As per the documentation : "By using various signals, Azure AD B2C analyzes the integrity of requests. Azure AD B2C is designed to intelligently differentiate intended users from hackers and botnets. Azure AD B2C provides a sophisticated strategy to lock accounts based on the passwords entered, in the likelihood of an attack."
how will the account get locked out? how can one go about testing that it will actually happen?
Upvotes: 1
Views: 3871
Answers (2)
Reputation: 894
Use different passwords for 10 times (if the Lockout threshold is not changed), your account will get locked.
Eg:
attempt 1 => password: 1
attempt 2 => password: 12
attempt 3 => password: 123
....
attempt 10 => password: 1234567890
Upvotes: 1
Reputation: 246
Today, the number of attempts begins at 10 and adjusts itself after that depending on the nature of each attempted logins. Other risks, such as attacks from suspicious IP addresses are addressed differently. Lockout time increases over time to create friction on automated attackers.
Upvotes: 2
Related Questions
- Are Azure Smart Lockout features now available for B2C
- Azure AD B2C passwordless sign in custom Policy
- Where are policies in the AzureAd B2C tenant
- Custom policies in Azure AD B2C
- Azure AD b2c Account lockout threshold
- Azure ad b2c account lockout
- Azure Active Directory Account Lockout Threshold
- Azure B2C signIn policy - lack of functionality
- Azure AD B2C custom policies