Customer Identity and Access Management (CIAM) includes built-in risk controls to protect user accounts against common attacks. Controls are organized into three categories: IP-based, account-based, and password-based. All controls are configured under Risk Management > Risk control in the CIAM console.
How risk controls work
Each control targets a specific attack signal. The table below shows all available controls, what risk they detect, and how they respond.
| Category | Control | Risk signal | Response |
|---|---|---|---|
| IP-based | IP failure count | High failed-authentication rate from one IP | Requires CAPTCHA after the threshold is exceeded |
| IP-based | IP blacklist | Known malicious IP | Blocks all requests from listed IPs across all interfaces |
| IP-based | IP whitelist | Unexpected source IP | Rejects requests from IPs not on the application's allowlist |
| IP-based | Abnormal access location check | Geographically inconsistent IP between consecutive logons | Sends an SMS alert to the user |
| Account-based | Brute-force protection with CAPTCHA | Repeated password failures on one account | Requires CAPTCHA after the threshold is exceeded |
| Account-based | Brute-force protection with rate limiting | Repeated password failures on one account | Locks the account for a configurable duration |
| Account-based | SMS/Email protection with CAPTCHA | Repeated verification code requests | Requires CAPTCHA before sending the next code |
| Account-based | SMS/Email protection with rate limiting | High verification code request frequency | Locks code delivery for a configurable duration |
| Account-based | Logon SMS verification limit | Excessive verification code use in one logon flow | Invalidates the code after the limit is exceeded |
| Account-based | Authentication frequency limit | High total authentication volume on one account | Locks the account for a configurable duration |
| Password-based | Password history | Password reuse | Prevents users from reusing recent passwords |
| Password-based | Periodic password change | Stale credentials | Forces a password reset after the validity period expires |
| Password-based | Password strength check | Weak password at set/change time | Enforces complexity requirements |
| Password-based | Weak password check | Password found in the weak password library | Blocks the password at set/change time |
| Password-based | Compromised password check | Password found in known breach data | Blocks the password at set/change time |
IP-based controls
IP failure count
Limits consecutive authentication failures from the same IP address within a time window. After the threshold is exceeded, the user must complete a CAPTCHA to continue.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Number of IP failures card, click Configuration.
Set the parameters, then enable or disable the control.
IP blacklist
Blocks all requests from listed IP addresses across every interface — authentication, user management, and administrative APIs. The blacklist applies globally to all applications.
Blocked IPs cannot use any application's Client_ID, Client_Secret, or corresponding Access_Token to call interfaces. Test your IP list carefully before enabling to avoid locking out legitimate users.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the IP blacklist card, click Configuration.
Add IP addresses to the blacklist, then enable or disable the control.
IP whitelist
Restricts access to a specific set of allowed IP addresses, configured per application. When enabled, only requests from listed IPs are processed. If the whitelist is empty, requests from all IPs are allowed.
Unlike the IP blacklist, the whitelist is configured at the application level, not globally.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the IP whitelist card, click Application page to configure.
From the application list, select the target application, then click IP Whitelist Configuration.
Add IP addresses and enable or disable the whitelist.
Abnormal access location check
Detects when consecutive authentication attempts from the same user originate from geographically inconsistent IP locations. When detected, IDaaS sends an SMS alert to the user.
Prerequisite: Configure an SMS template before enabling this control.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Check Location Errors card, enable or disable the control.
Account-based controls
Brute-force protection with CAPTCHA
Applies to username/phone/email + password authentication. After a configured number of failed attempts within the time window, the user must complete a CAPTCHA before trying again. Protects against brute-force and rainbow table attacks.
Setting the failure count to 0 makes CAPTCHA mandatory on every attempt.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Account secret anti-riot graphic verification code card, click the configuration area.
Set the parameters, then enable or disable the control.
Brute-force protection with rate limiting
Applies to username/phone/email + password authentication. After a configured number of failed attempts within the time window, the account is locked for the lockout duration. Protects against bots and rainbow table attacks.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Account secret riot frequency limit card, click the configuration area.
Set the parameters, then enable or disable the control.
SMS/Email protection with CAPTCHA
Requires users to complete a CAPTCHA before receiving an SMS or email verification code after repeated failures. Prevents automated code-request attacks.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the SMS/Email Riot Graphic Verification Code card, click the configuration area.
Set the parameters, then enable or disable the control.
SMS/Email protection with rate limiting
Locks SMS/email code delivery after a high request frequency. Prevents automated sending.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the SMS/Email Riot Frequency Limit card, click the configuration area.
Set the parameters, then enable or disable the control.
Logon SMS verification limit
Caps the number of times a verification code can be checked within a single logon flow. When the limit is exceeded, the current code becomes invalid. Reduces risk from lost or intercepted codes.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Login anti-riot SMS restrictions card, click the configuration area.
Set the parameters, then enable or disable the control.
Authentication frequency limit
Limits total authentication attempts (successful or failed) on the same account within a time window. After the limit is exceeded, the account is locked for the lockout duration. Protects against bots and credential stuffing.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Authentication frequency limit card, click Configuration.
Set the parameters, then enable or disable the control.
Password-based controls
The following controls govern what passwords users can set or keep. They apply at registration and at password-change time.
| Control | What it prevents |
|---|---|
| Password history | Reuse of recent passwords |
| Periodic password change | Credentials that are never rotated |
| Password strength check | Passwords that are too simple |
| Weak password check | Passwords in the weak password library |
| Compromised password check | Passwords known to be in breach databases |
Password history
Prevents users from reusing their most recent passwords when registering or changing passwords.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Historical Passwords card, click Configuration.
Set the parameters, then enable or disable the control.
Periodic password change
Enforces a password validity period. When the period expires, users must change their password before accessing application resources.
Enable with caution.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Regularly Change Password card, click the configuration area.
Set the parameters, then enable or disable the control.
Password strength check
Enforces complexity requirements when users set or change their password. When enabled, users cannot save a password that does not meet all selected requirements.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Password Security Detection card, click Configuration.
Set the minimum length and select complexity rules, then enable or disable the control.
Weak password check
Checks passwords against a built-in weak password library at registration and at password-change time. Users cannot set a password that matches any entry in the library.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Weak Password Detection card, enable or disable the control.
Compromised password check
Checks passwords against a continuously updated list of credentials known to have been exposed in data breaches. Users cannot set a password found in the compromised password library when registering or changing passwords.
Configure in the console
Log on to the CIAM console with an administrator account.
Go to Risk Management > Risk control.
On the Hacked Password Detection card, enable or disable the control.