Can I prevent a password brute force attack through self-service?
The self-service itself does not have any lockout rules which would apply when too many attempts for login have been noticed. This has to be configured according to our documentation.
The UCR variables
umc/self-service/passwordreset/limit/per_user/* only apply to the number of requests for a password reset, but not to the number of attempted logins.