Can I prevent a password brute force attack through self-service?
The self-service itself does not have any lockout rules which would apply when to many attempts for login have been noticed. This has to be configured according to our documentation.
The UCR variables
umc/self-service/passwordreset/limit/per_user/* do not apply as an attempt to logon is not a password reset so it is not taken into account.