User lockouts

If a user repeatedly tries to log and fails, you can configure it so that they are automatically locked out after reaching the configured attempt threshold. After reaching this threshold, users are locked out for the duration you define in the ReachFive Console.

Users can still authenticate to your site via passwordless methods (such as SMS, social login, or biometrics). However, the user profile lock still remains and the configured duration and count are not reset.

Affected endpoints

What happens after a user is locked out?

When a user exceeds the maximum attempts, they are locked out for the configured duration set in the ReachFive Console and their user profile is assigned the lockout_end_date profile field to specify when the account lockout ends.

A user event is also triggered each time a user’s account is locked. This event emits the type: profile_lockout. For more, see User Events.

If the date is in the future, the user is locked out.
If the date is in the past, the lockout is over and the user is not locked out.
If the user has never been locked out, the field is empty.

They may request to reset their password during this lockout period. If the password is reset successfully, the lockout is removed and the user can login again.

Though the user can try to login again after the configured duration, another failed login attempt (configured in the ReachFive Console) results in the next lockout lasting double the amount of time of the initial configured lockout period to a maximum of 24 hours. After the lockout period reaches 24 hours, then each subsequent duration is also 24 hours.

Configure User lockout

You can configure the User lockout directly in the ReachFive Console. The default settings are 5 failed login attempts and 5 minutes lockout.

user lockout console

Go to Settings Security User lockout.
Set the Number of allowed failed attempts.

This is the number of times a user can have a failed login before being locked out of their account.

Set the First lockout duration. This is the initial lockout period (in minutes).

If a user has another subsequent failed login attempt after the initial lockout period, the time set here doubles up to a maximum of 24 hours. After the lockout period reaches 24 hours, then each subsequent duration is also 24 hours.

Don’t forget to Save your input.

Lockout flow

In the example flow here, the following is configured:

Number of allowed failed attempts: 3
First lockout duration: 5 minutes

Scenarios

Here are a few different user scenarios to see when users are locked out.

Number of allowed failed attempts: 5
First lockout duration: 7 minutes

Mehdi: Three failed login attempts. The 4th attempt is successful. No lockout.
Thomas: Five failed login attempts. The 6th attempt is successful. No lockout.
Alex locked out: Six failed login attempts. The user is locked out for 7 minutes.
Francois locked out 2x: Six failed login attempts. The user is locked out for 7 minutes. He tries again after the 7 minutes and fails. He is now locked out for 14 minutes.
Marion locked out ⇒: Six failed login attempts. The user is locked out for 7 minutes. She resets her password during this time and successfully logs in with the new password. She’s unblocked at this point.