All Kony Fabric Posts

Blocking a user on multiple failed logins

Ajay Bhat - Aug 27, 2017 - Identity

In this post, Vamsidhar Kontham and Krishna Padmasola explain how Kony MobileFabric can be configured to block a user after a number of failed login attempts. It is also possible to configure the period of time for which the user is blocked. This configuration is necessary for complying with DISA requirements.

The content in this post is applicable to Kony MobileFabric On Premises installations 7.2 onwards.

Introduction

Kony MobileFabric provides a security feature to block users on multiple failed login attempts. When a user tries to login to MobileFabric console with a registered account (mail id) and incorrect password it results in a failed login. On repeating failed login multiple times, the user will be blocked for certain period of time called the blocking threshold. Within this blocking threshold interval, the user with the above account will not be authenticated even if he or she provides valid credentials. The user can attempt a valid login once the blocking threshold elapses.

Kony MobileFabric provides the flexibility to set number of failed login attempts and the period of time for which the user has to be blocked.

Configuring User Blocking Feature

To configure number of failed login attempts and blocking threshold time in Identity, we will first need to get the auth token.

Getting the auth token

  1. Login into MFConsole from a browser and hit below API in another tab
    1. <MobileFabric Url>/mfconsole/accountInfo
    2. Response will be in the following format:

Screenshot showing JSON response for /accountinfo

 

  1. Copy “authUrl” and “authToken” from the response.

Enable user blocking after multiple failed logins

To block the user after 3 consecutive failed attempts, use the following API:

POST <authUrl>/api/v1/setup/tenants/__global/properties

Headers:
Content-Type: application/json
X-Kony-Authorization: <authToken>
Request body:
{
   "name":"MAX_LOGIN_FAIL_ATTEMPTS",
   "value":"3"
}

This will cause the user account to be locked after 3 consecutive failed login attempts.

If the user enters the wrong password 3 consecutive times, the console will display the message:

User account locked due to multiple failed login attempts. Please contact system administrator.

Set user blocking threshold on failed login

The time for which the user remains blocked can be set using the following API:

POST <authUrl>/api/v1/setup/tenants/__global/properties
Headers:
Content-Type: application/json
X-Kony-Authorization: <authToken>
Request body:
{
   "name":"LOGIN_BLOCKING_THRESHOLD_MINUTES",
   "value":"15"
}

This will keep a blocked user in blocked state for 15 minutes. After 15 minutes, the user can attempt login, and will be able to login if he/she enters the correct password.

Unblocking the user

To unlock a blocked the user before the blocking threshold has elapsed, the database admin needs to connect to the identity config database(which is usually named <prefix>idconfigdb<suffix>, where <prefix> and <suffix> are configured at the time of installation), and issue the following SQL (sample SQL below for MySQL):

set sql_safe_updates = 0;
    UPDATE users
    SET
       user_status = 'active',
        login_fail_count = 0
    WHERE
        userid = '<the blocked userid here>';
    set sql_safe_updates = 1;

This will unblock the user even before the blocking threshold has elapsed. Alternatively, the user can wait for the threshold to elapse to attempt login again.