Configuring brute force protection for checkCTC and policyAuth

You must configure the Max checkCTC failures and Max policyAuth failures settings in the IBM® MFA web services started task settings to use brute force protection for checkCTC and policyAuth. You must also define and authorize the AZFMETAS resource profiles.

The factor AZFMETAS resource profile is used to save the settings related to brute force protection and needs to be configured when IBM MFA web services are enabled. The user factor AZFMETAS contains user-level data related to brute force protection. When performing brute force protection processing, IBM MFA creates an AZFMETAS user factor entry for a user if one does not already exist.

IBM MFA does not check for, or care, if the AZFMETAS factor is ACTIVE or NOACTIVE when performing brute force protection processing.

Max checkCTC failures

The Max checkCTC failures setting indicates the maximum consecutive checkCTC failures before the user is suspended for checkCTC requests.

As described in Configuring check CTC, you configure the check CTC authentication factor on the CTC destination. The check CTC authentication factor in turn issues checkCTC calls to the CTC source.

To use brute force protection for these checkCTC calls, you configure Max checkCTC failures on the CTC source.

Max checkCTC failures restrictions at the CTC source environment result in AZFCKCTC requests returning Access Denied if the user’s account has been attacked and the CKCTCFAILCT tag for a user exceed the Max checkCTC failures setting. For example, if Max checkCTC failures is set to 5, and the CKCTCFAILCT tag for the user reaches 6, Access Denied is returned.
Note: If you were to instead configure the Max checkCTC failures on the CTC destination, it would not have any effect on AZFCKCTC requests issued from the destination to the CTC source. The AZFMETAS counters apply to checkCTC requests, which are not typically received on the CTC destination.

Max policyAuth failures

The Max policyAuth failures setting indicates the maximum consecutive IBM MFA Out-of-Band policyAuth failures before the user is suspended for policyAuth requests. If the number of policyAuth failures for a user exceeds the Max policyAuth failures setting, Access Denied is returned.

You configure Max policyAuth failures on the IBM MFA server where you configured IBM MFA Out-of-Band authentication.

Keep the following considerations in mind:

  • The brute force protection for the policyAuth web service also applies to R_factor function code 6 for Get cached token credential, because the same policy-based authentication engine is used for both features.
  • If you initialize IBM MFA without brute-force protection for policy authentication, which is allowed if IBM MFA Out-of-Band authentication is not enabled, R_factor function code 6 will result in the following error message output from AZF#IN00: rfactor_get_user_factordata error (userid=%s,safrc=%d,racfrc=%d,racfrsn=0x%x).

    Two instances of this message are generated for each R_factor function code 6 request handled by AZF#IN00. To suppress these messages, enable brute force protection as described in this section.