Brute force detection
Overview
Keycloak includes built-in brute force detection to protect user accounts from repeated unauthorized login attempts.
This feature helps prevent attackers from guessing passwords through repeated login attempts while keeping your users’ accounts secure.
It provides configurable protections such as temporary lockouts, exponential backoff, and progressive delays to slow down potential attacks without unnecessarily blocking legitimate users.
Managed Keycloak Context
Cloud-IAM provides brute force detection as part of Managed Keycloak deployments.
The mechanisms are integrated into the platform’s architecture via load balancers—more details are available on the Architecture Insights page.
While these protections are applied on each managed Keycloak deployments, you can further enhance the security of each realm by configuring realm-specific brute force detection settings. This ensures fine-grained control over lockout policies and login defenses for different user groups or applications.
Use Case
IAM
For internal Identity and Access Management (IAM), brute force detection helps protect sensitive internal accounts, such as administrative or employee accounts, from credential-guessing attacks. This ensures the security of your organization’s internal applications.
CIAM
For customer-facing applications (CIAM), brute force detection ensures that user accounts are safeguarded during onboarding, registration, and login attempts. It reduces the risk of unauthorized access while maintaining a smooth experience for legitimate users.
Pros & Cons
Pros
- Enhanced Security: Prevents unauthorized access and reduces the risk of account compromise.
- Compliance: Helps meet security standards and regulatory requirements.
- Progressive Protection: Features like exponential backoff slow down attackers without immediately locking out legitimate users.
Cons
- User Friction: Users may face temporary login delays or lockouts after repeated failed attempts.
- Dependency on Accurate Configuration: Misconfigured settings could either block legitimate users or provide insufficient protection.
Supported by Keycloak
Yes, natively supported and configurable on Managed Keycloak by Cloud-IAM.
Configuration
How to Configure Brute force detection on a Keycloak Realm
This step-by-step guide explains how to enable brute force detection on your Keycloak realm.
Enabling this feature helps protect user accounts from repeated unauthorized login attempts and can trigger notifications for events such as registration validation, password resets, and usage alerts.
This tutorial does not cover all the necessary security best practices for a complete configuration.
Keycloak Console - Access to Brute force detection
- Login to your Keycloak as an admin
- Select the realm to be configured (here : acme-demo)
- Navigate to
Realm settings - Select
Security Defenses - Then click on
Brute force detection
Keycloak Console - Configure Brute force detection
- From the list select
Lockout permanently after temporary lockout. - Configure the various actions Keycloak should perform during failed login attempts.
Keycloak brute force detection recommended settings from ANSSI (French cybersecurity authority)
| Setting | Recommended Value | Based on ANSSI Reasoning |
|---|---|---|
| Brute Force Mode | Lockout permanently after temporary lockout | Avoid immediate permanent lockout, progressive defense. |
| Max Login Failures | 5 attempts | Standard ANSSI practice to prevent excessive guessing. |
| Maximum Temporary Lockouts | 3 | Allow 3 temporary lockout cycles before permanent lockout. |
| Strategy to Increase Wait Time | Multiple (exponential back off) | Progressive delay to slow attackers significantly. |
| Wait Increment | 30 seconds | Initial reasonable delay, balances security and usability. |
| Max Wait | 1 hour | Caps delay to avoid blocking legitimate users excessively. |
| Failure Reset Time | 15 minutes | Resets counter after no failed attempts for this duration. |
| Quick Login Check Milliseconds | 1000 ms (1 second) | Detects automated bots attempting rapid retries. |
| Minimum Quick Login Wait | 5 seconds | Introduces friction for automated attacks. |
- Then click
Saveto the configuration to confirm your configuration.
Your Keycloak realm is now protected with brute force detection, helping to safeguard user accounts against repeated unauthorized login attempts.