2.2.1 Anti-automation controls are effective at attacksΒΆ

Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account.

Level 1 X
Level 2 X
Level 3 X
CWE NIST
307 5.2.2 / 5.1.1.2 / 5.1.4.2 / 5.1.5.2