Customization of the Anti-hammering Protection

The anti-hammering protection counts the number of unsuccessful authentication attempts and applies a penalty after a defined threshold of attempts.

For each authentication failure, the error counter is incremented. When a user authenticates successfully, the error counter is reset. After the fifth unsuccessful attempt, a waiting period starts. During that waiting period, no authentication requests are possible.

If an authentication request occurs during the waiting period, an error is returned and a toast is displayed to indicate the remaining time. The rendering to the toast consists of a customizable string in which the %_REMAINING_TIME_% mask is replaced by the remaining time in seconds. The waiting period is increased progressively, starting at 30 seconds and multiplied by two for each attempt.

After the fifth unsuccessful attempt, it is not possible to perform an authentication for 30 seconds; the user must wait one minute after the sixth unsuccessful attempt; after the seventh unsuccessful attempt, the user must wait two minutes etc.

After the 10th wrong attempt, all registrations of the used ASM are deleted (except Native Biometric Authentication ASM registered with Face ID for iOS ). An error is returned and a toast is displayed to inform the user.

Tutorial App Anti-Hammering—Lock Dialog on Android and iOS

Anti-hammering on Android

For Android only, the anti-hammering protection is not responsible for a possible time penalty when biometric authentication is used. The time penalty is handled by the device-native biometry function on which anti-hammering relies.

After 5 failed attempts, a popup with the lockout message Too many wrong attempts to authenticate is displayed. Then, the biometric sensor is disabled by the system for 30 seconds and the USER_LOCKOUT error code is sent to the FIDO Server.

Some specific biometric methods such as Face Recognition can be locked permanently after five failed attempts. After that, each subsequent attempt results in sending the USER_LOCKOUT code to the server. To unlock it you have to type your PIN/password on your device's login page.

If the next authentication attempt is made during that 30-second period then the USER_LOCKOUT code is sent again. After the next 5 failed attempts (10 failed attempts in total) a popup with information about the removed Biometric ASM message is displayed - "The authentication method you previously set up has been removed for your protection. Please re-register to use it again." Finally, the KEY_DISAPPEARED_PERMANENTLY error code is sent to the FIDO Server.

Error customization keys

The following keys are available to customize the errors:

Tutorial App Anti-Hammering—Customization
Key Default text Description
vds_asm_common_text_error_remaining_time The authenticator is locked for REMAINING_TIME seconds, retry later. Text for the remaining time in case of USER_LOCKOUT
vds_asm_common_text_error_key_disappeared_permanently The authenticator has been removed and cannot be used anymore. Text to display in case of KEY_DISAPPEARED_PERMANENTLY