Hi dev community,
BF Protection works like a charm for Web applications .
I have a very specific requirement to configure bf protection for mobile applications. What are possibilites we can protect a mobile application brute force while we do not have a mobile sdk license and if the authentication method used in the mobile app is JWT (JSON Web Token).
what kind of brute force attacks do you expect on this authentication method?
You could configure the BIG-IP to validate the JWT token. I am guessing now - is the mobile app accessing some kind of API and the JWT is used for authentication? Then maybe you want to look at APM and API Protection. You can do token validation and rate limiting with API Protection.
Link: API Protection Concepts
Another good read on JWT is this one: JWT: A How Not to Guide
I hope this is a good starting point for you.
I have had noticed on the mobile application, I could see there are more than 100 hits per second making the application unavailable. Yes the mobile app is using api and JWT is for authentication. I am unable to define the login page because there is no username or password element, I could figure out. Definitely, I will look at API protection.