Criipto Verify Rate Limiting
Criipto Verify applies rate limits on two different levels:
- On a service-wide level, DoS and DDoS protection mechanisms are enforced
- On a per-user level, limits to the number of allowed single sign-on requests are enforced
Note that we do not share the details of the DoS and DDoS protection, but below is more about the limits to single sign-on requests
Single sign-on (SSO) limits
Criipto Verify has two per-user rate limits for how many SSO attempts that can be performed.
- High-frequency guard: Maximum 2 SSO’s per 5 seconds.
- Low-frequency guard: Maximum 6 SSO’s per 20 minutes.
The high-frequency guard protects against sudden spikes in traffic, while the low-frequency guard protects against long-running repeated SSO attempts.
The settings for the high-frequency limit is chosen so it is possible to have a “mash-up” of websites where you must establish sessions in rapid succession after the interactive login, but also ensures that any given user cannot abuse the service.
The settings for the low-frequency guard is chosen to ensure that, say, broken infrastructure in client deployments do not accidentally trigger an excessive load on the service. Such errors can trigger a very large load on the service when the simultaneous number of users becomes very large.
Should a user exceed any of the limits, the service will respond with a 429
HTTP status code (aka Too Many Requests
). The user’s session will not be terminated if a limit is hit.