ASM Brute Force login mitigation with Captcha
I have a question regarding the ASM brute force login mitigation feature using captchas. Based on the failed logins setting the user gets challenged with a captcha. After solving the capture succesfully the user gets redirected back to the login page. Entering the correct credentials this time forces another captcha challenge! If this is solved successfully the user is allowed to enter the website.
I can´t understand this last captcha challenge because the user has entered the correct credentials before. He shouldn´t be challenged again at this point.
The sequence when using captchas is not documented in that very detail, so could it be that the last captcha is one too much? Has anyone made a similar experience or does anyone know how ASM should work at this stage?
Tested with versions 13.1.1.2 and 14.1.
Rgds, Peter