Account Lockout Policy
Protect your application from brute force attacks by automatically locking accounts after repeated failed login attempts.
How It Works
When enabled, the lockout policy tracks failed login attempts for each user. After reaching the maximum number of failed attempts within the reset window, the account is temporarily locked.
Lockout Flow
- User enters incorrect password
- Failed attempt is logged with timestamp and IP
- If attempts exceed threshold within reset window → account locked
- User sees "Account temporarily locked" message
- Account auto-unlocks after lockout duration expires
- Admin can manually unlock account before expiration
Configuration
Lockout Policy Settings
| Setting | Default | Description |
|---|---|---|
| enabled | true | Enable/disable lockout policy |
| maxAttempts | 5 | Max failed attempts before lockout |
| lockoutDuration | 900 (15 min) | How long account stays locked (seconds) |
| resetAfter | 3600 (1 hour) | Time window to reset attempt counter (seconds) |
Configuration Example
Monitoring Lockouts
View Locked Accounts
Manual Unlock
Login Attempt Tracking
All login attempts are logged for security monitoring:
Best Practices
✅ Use Reasonable Thresholds
5 attempts with 15-minute lockout works for most apps. Too strict (3 attempts) may frustrate legitimate users. Too lenient (10+ attempts) reduces effectiveness.
✅ Notify Users
Show clear messages: "Account locked due to multiple failed login attempts. Try again in 15 minutes or contact support."
✅ Provide Self-Service Recovery
Include password reset link in lockout message so users can recover without waiting.
✅ Monitor for Distributed Attacks
Lockout prevents single-IP attacks. For distributed attacks across many IPs, monitor overall failed attempt rates.
✅ Admin Override Available
Ensure admins have manual unlock capability for legitimate users who need immediate access.
⚠️ Don't Reveal Lockout in Error
If user enumeration protection is enabled, show generic "Invalid credentials" instead of "Account locked" to prevent account discovery.
Common Scenarios
Scenario: Forgotten Password
User tries several passwords → locked out
Solution: Show password reset link on lockout message
Scenario: Brute Force Attack
Attacker tries many passwords → locked after 5 attempts
Protection: Attack stopped. Would require 15 min per 5 attempts = too slow to be effective
Scenario: Accidental Lockout
Legitimate user locked out, needs immediate access
Solution: Admin manually unlocks via SecuritySettings or API