Login Protect overview

Login Protect provides an additional verification step for users accessing protected URLs, reducing the risk of unauthorized access due to compromised credentials. You can use the OAuth 2.0 Client Credentials flow scheme to securely authenticate your client application with the authorization server.

The API endpoint is: https://api.sitelock.com/v1/loginprotect

How it works

A user attempts to access a WAF-protected login page.
The WAF validates the primary credentials (username/password).
If the 2FA is enabled for the user and URLs, the WAF requires a secondary authentication method.
The user completes verification using the chosen method (for example, SMS OTP).
The user is granted access upon successful verification.

Supported verification methods

SMS one-time passcode (OTP)
Authenticator app

Eligibility

WAF-protected URLs that have Login Protect enabled
Accounts with a configured the 2FA method

API capabilities

Users can use the API to:

Provision and manage Login Protect users
Enable or disable 2FA per user
Configure URLs for 2FA enforcement
Manage Login Protect settings
Trigger SMS delivery for OTP verification

Base workflow

Configure Login Protect

Use the configuration endpoints to:
- Enable Login Protect
- Define the protected login URLs
- Set the global delivery and enforcement options
Provision users

Define which users should have access to protected URLs.

Create user and assign:
- Username
- Phone number (for SMS) and email (for the code delivery)
Enforce at Login Protect

When a configured user accesses protected URLs:
- WAF challenges the user for an OTP
- The OTP is validated before granting access

Endpoints

User management

loginProtectAddUser creates a new Login Protect user and enables 2FA.
loginProtectModifyUser updates user attributes, such as phone number or 2FA status.
loginProtectDeleteUser removes a user from Login Protect.

Verification

loginProtectSendSMS sends an OTP to the user’s registered phone number.

Configuration

loginProtectRetrieveConfig retrieves current Login Protect configuration settings.
loginProtectModifyConfig updates Login Protect settings.
loginProtectConfigApp configures authenticator app (OTP) settings.
loginProtectConfigAddUrl adds a URL where Login Protect enforcement is required.
loginProtectConfigDeleteUrl removes a URL from Login Protect enforcement.

Enforcement model

The requested URL matches a configured protected URL
The user exists in the Login Protect user database
2FA is enabled for the user
Login Protect is globally enabled

If any condition is not met, the WAF allows the login without a 2FA challenge.

Error handling

Common errors:

User not found
2FA not enabled for user
URL not configured for Login Protect
SMS delivery failure
Invalid or expired OTP

An error response returns a status code and error message for troubleshooting.

Phone numbers must be stored in the E.164 format.
OTP codes are time-limited and single-use.
Rate limiting is enforced on OTP requests.
Users should avoid logging OTP values.