Hello, In my opinion it is correct to suspend the user after the third failed login attempt.
Best regards, Samuel Il giorno gio 4 giu 2026 alle ore 11:38 Massimiliano Perrone < [email protected]> ha scritto: > Hi all, while reviewing the authentication failure handling, I noticed > that the current behavior around *maxAuthenticationAttempts* seems > counterintuitive. > > With `maxAuthenticationAttempts = 3`, the user is currently suspended > only after the fourth failed login attempt. This happens because the > suspension check uses a strict `>` comparison against the configured > threshold. > > My expectation would be that `maxAuthenticationAttempts` represents the > maximum number of failed authentication attempts allowed before > suspension, so a value of `3` should suspend the user on the third > failed attempt. > > I also did a quick check around and the behaviour is always: when the > configured maximum is reached, the account is disabled. > > Do you think it would make sense to change the check from > to >=, so > that the account is suspended when the configured threshold is reached? > For example: > > * maxAuthenticationAttempts = 3 > * failed login #1 -> failedLogins = 1, user not suspended > * failed login #2 -> failedLogins = 2, user not suspended > * failed login #3 -> failedLogins = 3, user suspended > > Thanks, > Massimiliano > > -- > Massimiliano Perrone > Tel +39 393 9121310 > > Tirasa S.r.l. > Viale Vittoria Colonna 97 - 65127 Pescara > Tel +39 0859116307 / FAX +39 0859111173 > http://www.tirasa.net >
