Hello, In my opinion, the current behavior is correct. To me, maxAuthenticationAttempts = 3 means "you have 3 authentication attempts before your account is locked," and not "the account is locked on the third attempt after 2 failures."
Therefore, if maxAuthenticationAttempts is set to 3, the user should be suspended *after* the 3rd failed login. Consequently, when the user tries to authenticate for the 4th time, they should see that their account is locked. Best regards, Lorenzo Il giorno gio 4 giu 2026 alle ore 11:38 Massimiliano Perrone < [email protected]> ha scritto: > Hi all, while reviewing the authentication failure handling, I noticed > that the current behavior around *maxAuthenticationAttempts* seems > counterintuitive. > > With `maxAuthenticationAttempts = 3`, the user is currently suspended > only after the fourth failed login attempt. This happens because the > suspension check uses a strict `>` comparison against the configured > threshold. > > My expectation would be that `maxAuthenticationAttempts` represents the > maximum number of failed authentication attempts allowed before > suspension, so a value of `3` should suspend the user on the third > failed attempt. > > I also did a quick check around and the behaviour is always: when the > configured maximum is reached, the account is disabled. > > Do you think it would make sense to change the check from > to >=, so > that the account is suspended when the configured threshold is reached? > For example: > > * maxAuthenticationAttempts = 3 > * failed login #1 -> failedLogins = 1, user not suspended > * failed login #2 -> failedLogins = 2, user not suspended > * failed login #3 -> failedLogins = 3, user suspended > > Thanks, > Massimiliano > > -- > Massimiliano Perrone > Tel +39 393 9121310 > > Tirasa S.r.l. > Viale Vittoria Colonna 97 - 65127 Pescara > Tel +39 0859116307 / FAX +39 0859111173 > http://www.tirasa.net > -- -- Lorenzo Di Cola Software Engineer @ Tirasa S.r.l. Viale Vittoria Colonna, 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 0859111173http://www.tirasa.net Apache Syncope Committer Syncope PMC Member at The Apache Software Foundation http://people.apache.org/phonebook.html?uid=loredicola
