- Affected version
- 2.3.7
If a client has more than 4 failed login attempts with username / email and password within 15 minutes the user account will be limited according to option
This option is not applied though if Passkey logins are performed.
While Passkeys are a lot less vulnerable for brute force attacks, it might still be useful to apply a limit.
Suggested Fix
Also apply the configured limit method for Passkey logins (Preferred)
or
Modify the wording to make it more clear that this does not affect Passkey logins
loginLimit:This option is not applied though if Passkey logins are performed.
While Passkeys are a lot less vulnerable for brute force attacks, it might still be useful to apply a limit.
Suggested Fix
Also apply the configured limit method for Passkey logins (Preferred)
or
Modify the wording to make it more clear that this does not affect Passkey logins