Confluent Cloud Security Protections for Authentication¶
Confluent monitors authentication attempts to Confluent Cloud local user accounts to detect anomalies and protect your Confluent Cloud resources from unauthorized access. When suspicious behavior is detected, Confluent uses the following security protections to safeguard your Confluent Cloud resources.
Detect compromised passwords¶
When an attempt is made to sign in to Confluent Cloud using a local user account, Confluent monitors the authentication attempt and during the sign-in compares the user credentials (a combination of an email address and a password) against a list of known compromised user credentials. If the user credentials match a known compromised email address and password combination, the user is blocked from signing in and is required to reset their password.
Because users sometimes reuse the same email address and password across multiple websites and services, attackers often attempt to use compromised user credentials obtained from a security breach or data leak at one website or service to attempt to sign in to other websites or services. By comparing a user’s credentials against the list of known compromised user credentials, Confluent can detect and prevent unauthorized access to Confluent Cloud user accounts and resources.
Confluent never stores user passwords in plain text.
Upon detecting compromised user credentials, Confluent performs the following steps:
- The user account is blocked until the password is reset.
- The user receives an email notification informing them about the risk and instructing them to reset their password to regain access to their account. The message includes a password reset link that is valid for one hour.
Prevent brute force attacks¶
In an effort to gain access to Confluent Cloud user accounts and resources, attackers sometimes use brute force attacks to repeatedly attempt to sign in to user accounts. Brute force attacks are typically automated and systematically work through a dictionary of possible passwords to find the correct password for a user account.
To prevent brute force attacks, Confluent tracks the number of failed sign-in attempts to a Confluent Cloud user account from a specific IP address. After exceeding the threshold for the number of failed sign-in attempts, the suspicious IP address is blocked from signing in to Confluent Cloud. The user can reset the password for their account to unblock the specific IP address or contact Confluent Support to unblock the IP address.
Throttle suspicious IP addresses¶
If a malicious actor rapidly attempts to sign in to a Confluent Cloud user account or sign up for Confluent Cloud user accounts from a specific IP address, and after exceeding login attempts, the IP address is blocked from sign-in to the user account on Confluent Cloud and the Confluent Support Portal. If the user uses different credentials to log into the Confluent Support Portal, the password must be individually reset on the Support Portal as well to regain access to the Support Portal.
Prevent automated sign-up attempts¶
To prevent automated sign-up attempts, Confluent uses reCAPTCHA to verify that the user is a human and not a bot. reCAPTCHA uses an advanced risk analysis engine to keep automated software from engaging in suspicious activities on websites. When a user attempts to sign up for a Confluent Cloud user account, Confluent uses reCAPTCHA to verify that the user is a human and not a bot. If a bot is detected, the user is blocked from signing up for a Confluent Cloud user account.
If a user fails the reCAPTCHA verification, an error message (“Unable to resolve reCAPTCHA to complete sign-up.”) displays in the sign-up form.
If you are not using automation and continue to see the error message, then try the following steps to resolve the error:
- Refresh the page and try to complete sign-up again.
- Update your web browser, or try a different web browser. Your current web browser might be outdated.
- Changing your internet network connection. You might be on a shared network that is being used maliciously.
If none of these steps work, please contact Confluent Support to assist with your sign-up.