Logging incomplete login attempts#

In Blitz Identity Provider, all events are logged when the process that caused them has finished. This is normal for most events, because the processes are short-term.

Among all the events being recorded, there are some important events related to user login. If the login is successful, a security event is logged at the very end of the login process, indicating who logged in, where and when, what authentication methods were used, IP address, UserAgent and many other details.

The login process can be a complex, depending on the configurations made during implementation. It may not always be sufficient to only enter a username and password and an additional login confirmation is required, or during the login process the user will interact with auxiliary applications (pipes), for example, to update a contact, configure a passkey or answer a question about whether he/she trusts the device/browser. If a user stops logging in at any point during this process, it may not be completed, and as a result, an audit event will not be created for that incomplete process. Depending on at what point this happens, this could be a security issue. For example, if a user simply opened the login page and did not enter a username and password, then logging such an event in the security log is has no particular interest. But if the user entered the correct username and password, but got to a login confirmation screen that he didn’t pass, then such a security event would be a good reason to record. Perhaps the malicious user was brute-forcing the password and was able to successfully pick it, but was unable to pass the second authentication factor. A security event would make this situation known if it were recorded and analyzed.

To activate event logging of unsuccessful (incomplete) logins it is necessary to add parameters in the blitz.prod.local.idp.login settings block:

  • postponeEnabled - value true if the mechanism is enabled;

  • postponeTtl - time in seconds after which a pending audit event is logged if the login has not been completed.

In case RabbitMQ is used to process tasks, you must make an additional queue named <main queue name>-postpone for the main task queue and set the following arguments for it:

x-dead-letter-exchange = <exchange in use>
x-dead-letter-routing-key = <main queue>

Also for the created queue, you need to configure binding to the exchange used.