Question

Can I prevent a password brute force attack through self-service?

Answer

The self-service itself does not have any lockout rules which would apply when too many attempts for login have been noticed. This has to be configured according to our documentation.

The UCR variables umc/self-service/passwordreset/limit/per_user/* only apply to the number of requests for a password reset, but not to the number of attempted logins.