This document describes the risk control features of the CIAM platform. These features are categorized into IP address, account, and password security measures to enhance identity authentication.
Overview
As user numbers and access frequency grow, CIAM provides basic risk control features to enhance the security of user authentication.
CIAM divides risk control into three categories:
IP-based
Account-based
Password-based
IP-based
IP failure count
You can configure limits on consecutive authentication failures from the same IP address within a specific time range. After exceeding the limit, users must enter a Captcha to continue operations.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the Number of IP failures card, configure the settings and enable or disable the feature.
Click Configuration to set the IP failure count parameters.
Parameter descriptions:
Time range: The counting time range for authentication failures, e.g., default is 5 minutes.
Authentication failure count: The maximum number of allowed authentication failures.
Enable: Turns the IP failure count feature on or off.
IP blacklist
You can configure a global IP blacklist that applies to all applications. All requests from addresses in the IP blacklist will be rejected. The rejection scope includes authentication, user, management, and other types of interfaces. Use with caution.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the IP blacklist card, you can enable or disable the feature and configure its settings.
Click Configuration to set the IP blacklist parameters.
Parameter descriptions:
Blacklist IP list: Addresses in the IP blacklist cannot use any application's Client_ID, Client_Secret, or corresponding Access_Token to call interfaces.
Enable: Turns the IP blacklist feature on or off.
IP whitelist
You can navigate to the application interface to configure IP whitelists. After configuration, only requests from addresses in the application's IP whitelist will be allowed. All requests from other IP addresses will be rejected.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the IP whitelist card, go to the configuration page.
Click Application page to configure to set the IP whitelist parameters.
From the application list, select the target application and click IP Whitelist Configuration.
Parameter descriptions:
IP whitelist: When the whitelist is enabled, only API requests from IP addresses on the whitelist are processed. If the whitelist is empty, requests from all IP addresses are processed.
Enable whitelist: Turns the IP whitelist feature on or off.
Abnormal access location check
If the location between two consecutive authentication attempts by the same user is abnormal (geographical location derived from IP address), IDaaS will send a text message alert to the user. This feature requires prior configuration in the SMS template.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the Check Location Errors card, enable or disable the feature.
Account
Brute-force protection with CAPTCHA
You can configure Captcha control for authentication failures within a specific time range when using username/phone/email + password authentication format. This prevents brute-force attacks such as rainbow table attacks.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the Account secret anti-riot graphic verification code card, configure the settings and enable or disable the feature.
Parameter descriptions:
Time range: The counting time range for authentication failures, e.g., default is 5 minutes.
Authentication failure count: The range of authentication failures. If set to 0, Captcha is mandatory.
Enable: Turns the Brute-force Protection With Captcha feature on or off.
Brute-force protection with frequency limit
You can configure frequency limits for authentication failures within a specific time range when using username/phone/email + password authentication format. This prevents machine access and brute-force attacks such as rainbow table attacks.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the Account secret riot frequency limit card, you can configure the settings and enable or disable the feature.
Parameter descriptions:
Time range: The counting time range for authentication frequency, e.g., 5 minutes.
Frequency count: The range of authentication frequency, e.g., 2 times.
Lock time range: The lock time range, e.g., 5 minutes.
Enable: Turns the Brute-force Protection With Frequency Limit feature on or off.
SMS/Email protection with CAPTCHA
You can configure Captcha control for human-machine verification when sending text messages to prevent automated text message sending and avoid losses.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the SMS/Email Riot Graphic Verification Code card, you can configure the settings and enable or disable the feature.
Parameter descriptions:
Time range: The counting time range for authentication frequency, e.g., 5 minutes.
Authentication failure count: The range of authentication failures, e.g., after 2 consecutive authentication failures within the set time range, Captcha is mandatory.
Enable: Turns the SMS/Email Protection With Captcha feature on or off.
SMS/Email protection with frequency limit
You can configure frequency limits for human-machine verification when sending text messages to prevent automated text message sending and avoid losses.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the SMS/Email Riot Frequency Limit card, you can configure the settings and enable or disable the feature.
Parameter descriptions:
Time range: The counting time range for authentication frequency, e.g., 5 minutes.
Frequency count: The range of authentication frequency, e.g., 2 times.
Lock time range: The lock time range, e.g., 5 minutes.
Enable: Turns the SMS/Email Protection With Frequency Limit feature on or off.
Logon protection with SMS limit
You can configure limits on the number of SMS/email verification code verifications in the same logon flow to prevent authentication risks caused by lost verification codes.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the Login anti-riot SMS restrictions card, you can configure the settings and enable or disable the feature.
Parameter descriptions:
Verification count: The counting range for verification count, e.g., 3 times. After exceeding 3 times, the current verification code will become invalid.
Enable: Turns the Logon Protection With SMS Limit feature on or off.
Authentication frequency limit
You can configure limits on the number of authentication attempts for the same account within a specific time range (regardless of success or failure) to prevent bot proxies and improve account security.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the Authentication frequency limit card, you can enable or disable the feature and configure its settings.
Parameter descriptions:
Time range: The counting time range for authentication frequency, e.g., 5 minutes.
Authentication frequency count: The range of authentication frequency, e.g., 2 times.
Lock time range: The lock time range, e.g., 5 minutes.
Enable: Turns the authentication frequency limit feature on or off.
Password
Password history
You can maintain a password history record for each account. Users cannot use passwords that match their historical passwords when registering or changing passwords. The number of historical passwords to check can be configured.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the Historical Passwords card, you can enable or disable the feature and configure its settings.
Parameter descriptions:
Password history: The current password cannot match how many historical passwords, e.g., 5.
Enable: Turns the password history feature on or off.
Periodic password change
You can configure whether to enforce regular password changes and set the password validity period. The period is set by the administrator in the configuration. When the period expires, users must change their password before accessing application resources. Enable with caution.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the Regularly Change Password card, you can configure the settings and enable or disable this feature.
Parameter descriptions:
Password validity period: Select the valid usage period for your current password. Options include 10 days, 30 days, 60 days, 180 days, 360 days.
Enable: Turns the periodic password change feature on or off.
Password strength check
You can set a password strength policy suitable for your users. When enabled, users will be prompted and required to set passwords that meet your specified strength requirements when setting or changing passwords.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to . On the Password Security Detection card, you can enable or disable the feature and configure its settings.
Parameter descriptions:
Minimum length: Select the valid usage period for your current password. Options include 10 days, 30 days, 60 days, 180 days, 360 days.
Password complexity: Complexity configuration options include the following:
The password must contain at least one uppercase letter
The password must contain at least one lowercase letter
The password must contain at least one digit 0-9
The password must contain at least one special character (!@ # $ % & * ~)
The password cannot contain the username
The password cannot contain the pinyin of the user's name
The password cannot contain the phone number
The password cannot contain the email prefix
Enable: Enables or disables regular password changes.
Weak password check
You can detect weak passwords used by system users to eliminate security risks from accounts using weak passwords. If weak password detection is enabled, users will receive system prompts and will not be able to set weak passwords that can be detected in the weak password library when registering or changing passwords.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Navigate to and on the Weak Password Detection card, enable or disable the feature.
Compromised password check
IDaaS continuously updates a record of passwords that have been compromised on the Internet. When this option is selected, the system will reject any password recorded in the compromised password library when users register or change passwords.
Configure through the console
Procedure
Log on to the CIAM management platform with an administrator account.
Go to . On the Hacked Password Detection card, you can enable or disable the feature.