Keycloak Brute Force Protection

Keycloak Brute Force Protection

The post describes how to configure Brute Force Protection in Keycloak

What is a brute force attack?

According to OWASP:
“A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works”

Keycloak configuration

Open Keycloak admin page, open Realm Settings, go to the Security Defenses tab and open the Brute Force Protection tab.

Click on the enabled button.

Keycloak documentation related to the Brute Force Protection configuration is here

My understanding of the default configuration

Preventing automated attacks

  • Lock after 2 subsequent login failures
  • 1 second between failures (too quick for a human)
  • Lock remains active for ~5 min

Preventing manual attacks

  • Lock after 30 subsequent login failures
  • Sliding window of 12 hours
  • Lock remains active for ~ 45 min