Account lockout: failed login attempts
If a user repeatedly tries to log in on the /api/v1/password/login
endpoint and fails, their account is automatically locked after 10
failed attempts. The amount of time between failed attempts must be greater than the reset timeframe to not count as a failed login attempt. Otherwise, the attempts are cumulative.
See the loginWithPassword operation for more details. |
Example | Reset timeframe =
5 minutes
- User A
-
Failed login attempt. User tries again in
4
minutes. This counts as failed attempt2/10
. - User B
-
Failed login attempt. User tries again in
6
minutes. This counts as failed attempt1/10
. - User C locked out
-
Failed login attempt. User tries again repeatedly every
4
minutes for a total of10
attempts. The user is locked out as they did not let the reset timeframe ever reach5
minutes.