From cb42900bed2c42d8e2001c8cdc5ff500c48b14d3 Mon Sep 17 00:00:00 2001
From: Andy Butland <abutland73@gmail.com>
Date: Tue, 6 May 2025 06:43:17 +0200
Subject: [PATCH] Added details of security settings backported to 13

---
 .../reference/configuration/securitysettings.md        | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/13/umbraco-cms/reference/configuration/securitysettings.md b/13/umbraco-cms/reference/configuration/securitysettings.md
index dcfa5ade40f..d8fb2fb2171 100644
--- a/13/umbraco-cms/reference/configuration/securitysettings.md
+++ b/13/umbraco-cms/reference/configuration/securitysettings.md
@@ -40,7 +40,9 @@ A full configuration with all default values can be seen here:
       },
       "UserDefaultLockoutTimeInMinutes": 43200,
       "MemberDefaultLockoutTimeInMinutes": 43200,
-      "AllowConcurrentLogins": false
+      "AllowConcurrentLogins": false,
+      "UserDefaultFailedLoginDurationInMilliseconds": 1000,
+      "UserMinimumFailedLoginDurationInMilliseconds": 250
     }
   }
 }
@@ -136,3 +138,9 @@ The default lockout time for users is 30 days (43200 minutes).
 ## Allow concurrent logins
 
 When set to `false`, any user account is prevented from having multiple simultaneous sessions. In this mode, only one session per user can be active at any given time. This enhances security and prevents concurrent logins with the same user credentials.
+
+### User login duration
+
+Umbraco provides protection from user enumeration attacks looking to identify valid backoffice login accounts. It does this by attempting to equalize the time taken for successful and failed logins.
+
+The `UserDefaultFailedLoginDurationInMilliseconds` can be used to provide a more realistic expected time for a successful login if the default isn't appropriate. This will be used before actual successful logins are detected. `UserMinimumFailedLoginDurationInMilliseconds` provides a minimum duration for a failed login.