Account lockout: failed login attempts

If a user repeatedly tries to log in on the /api/v1/password/login endpoint and fails, their account is automatically locked after 10 failed attempts. The amount of time between failed attempts must be greater than the reset timeframe to not count as a failed login attempt. Otherwise, the attempts are cumulative. See the loginWithPassword operation for more details.

Can I configure these settings?

In short, no you cannot.

The failed attempt counter is set at 10 and the reset timeframe is set for 5 minutes.

As of today, customers cannot configure these items.

Example flow

account lockout flow
User A

Failed login attempt. User tries again in 4 minutes. This counts as failed attempt 2/10.

User B

Failed login attempt. User tries again in 6 minutes. This counts as failed attempt 1/10.

User C locked out

Failed login attempt. User tries again repeatedly every 4 minutes for a total of 10 attempts. The user is locked out as they did not let the reset timeframe ever reach 5 minutes.


What happens after a user is locked out?

When a user exceeds the maximum attempts (10), the profile is locked for 5 minutes before further actions can be taken. This means that unlocking the profile in those 5 minutes is not possible. However, after the 5 minutes is up, the user can try again.