Log in back-off

This is a security setting which should allow genuine users into Citizen Space, but helps in preventing brute force attacks on the log in page. It allows us to set the number of consecutive attempts which can be made at logging in to your site and, once those are used up, there is a set back-off period between each further log in attempt.

This is on by default for all sites on deployment, to the following settings:

After 7 initial attempts, a back-off of 5 minutes before the next log in attempt is allowed, then 10 minutes for the one after that, then 60 minutes, then 360 minutes, then 1440 minutes.

In this example, every ongoing attempt after that final one will have a 1440 minute wait between them.

If you would like to configure this with different settings, get in touch with your customer success manager to let them know:

1. How many consecutive initial attempts should be allowed to be made at log in on your site

2. What time blocks (in minutes) you want us to apply between each further log in attempt

Things to know:

If one of your genuine users hits the back-off limit, they can use the 'forgotten password' link to reset their password, which will then allow them to log in once they've used the password reset link correctly.

If back-off is enabled then it will also alert a user via email if a back-off limit has been hit using their email address, this email will also tell them when they are next able to log in. If it wasn't them trying to get in, then it serves as a prompt for them to take preventative action such as resetting their password.

The back-off will only apply if a correct user email address has been used, so - for security - no message appears on screen when a back-off has been hit, only the notification email mentioned above is sent.

Users who are getting their email address wrong won't experience a back-off limit. Citizen Space shows the message "Sorry, log in failed. Your email address and password are both case sensitive, please check that caps lock is off" for any attempt involving an incorrect email address or password.