Added details of security settings backported to 13 (#7068)

AndyButland · web-flow · commit 29f1feca497a · 2025-05-06T07:36:22.000+02:00
diff --git a/13/umbraco-cms/reference/configuration/securitysettings.md b/13/umbraco-cms/reference/configuration/securitysettings.md
@@ -40,7 +40,9 @@ A full configuration with all default values can be seen here:
       },
       "UserDefaultLockoutTimeInMinutes": 43200,
       "MemberDefaultLockoutTimeInMinutes": 43200,
-      "AllowConcurrentLogins": false
+      "AllowConcurrentLogins": false,
+      "UserDefaultFailedLoginDurationInMilliseconds": 1000,
+      "UserMinimumFailedLoginDurationInMilliseconds": 250
     }
   }
 }
@@ -136,3 +138,9 @@ The default lockout time for users is 30 days (43200 minutes).
 ## Allow concurrent logins
 
 When set to `false`, any user account is prevented from having multiple simultaneous sessions. In this mode, only one session per user can be active at any given time. This enhances security and prevents concurrent logins with the same user credentials.
+
+### User login duration
+
+Umbraco provides protection from user enumeration attacks looking to identify valid backoffice login accounts. It does this by attempting to equalize the time taken for successful and failed logins.
+
+The `UserDefaultFailedLoginDurationInMilliseconds` can be used to provide a more realistic expected time for a successful login if the default isn't appropriate. This will be used before actual successful logins are detected. `UserMinimumFailedLoginDurationInMilliseconds` provides a minimum duration for a failed login.

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,9 @@ A full configuration with all default values can be seen here:`
`40`	`40`	`},`
`41`	`41`	`"UserDefaultLockoutTimeInMinutes": 43200,`
`42`	`42`	`"MemberDefaultLockoutTimeInMinutes": 43200,`
`43`		`- "AllowConcurrentLogins": false`
	`43`	`+ "AllowConcurrentLogins": false,`
	`44`	`+ "UserDefaultFailedLoginDurationInMilliseconds": 1000,`
	`45`	`+ "UserMinimumFailedLoginDurationInMilliseconds": 250`
`44`	`46`	`}`
`45`	`47`	`}`
`46`	`48`	`}`
`@@ -136,3 +138,9 @@ The default lockout time for users is 30 days (43200 minutes).`
`136`	`138`	`## Allow concurrent logins`
`137`	`139`
`138`	`140`	When set to `false`, any user account is prevented from having multiple simultaneous sessions. In this mode, only one session per user can be active at any given time. This enhances security and prevents concurrent logins with the same user credentials.
	`141`	`+`
	`142`	`+### User login duration`
	`143`	`+`
	`144`	`+Umbraco provides protection from user enumeration attacks looking to identify valid backoffice login accounts. It does this by attempting to equalize the time taken for successful and failed logins.`
	`145`	`+`
	`146`	+The `UserDefaultFailedLoginDurationInMilliseconds` can be used to provide a more realistic expected time for a successful login if the default isn't appropriate. This will be used before actual successful logins are detected. `UserMinimumFailedLoginDurationInMilliseconds` provides a minimum duration for a failed login.