User lockouts

If a user repeatedly tries to log and fails, you can configure it so that they are automatically locked out after reaching the configured attempt threshold. After reaching this threshold, users are locked out for the duration you define in the ReachFive Console.

Users can still authenticate to your site via passwordless methods (such as SMS, social login, or biometrics). However, the user profile lock still remains and the configured duration and count are not reset.

Affected endpoints

What happens after a user is locked out?

When a user exceeds the maximum attempts, they are locked out for the configured duration set in the ReachFive Console and their user profile is assigned the lockout_end_date profile field to specify when the account lockout ends.

A user event is also triggered each time a user’s account is locked. This event emits the type: profile_lockout. For more, see User Events.

If the date is in the future, the user is locked out.
If the date is in the past, the lockout is over and the user is not locked out.
If the user has never been locked out, the field is empty.

They may request to reset their password during this lockout period. If the password is reset successfully, the lockout is removed and the user can login again.

Though the user can try to login again after the configured duration, another failed login attempt (configured in the ReachFive Console) results in the next lockout lasting double the amount of time of the initial configured lockout period to a maximum of 24 hours. After the lockout period reaches 24 hours, then each subsequent duration is also 24 hours.

When can the user try again?

You configure the number of allowed failed attempts directly in the ReachFive Console. Here, we explain when that attempt count resets and takes the user back to the standard lockout flow.

You can speak with your ReachFive contact for more information about the preconfigured duration mentioned below.

Type Notes

The user is currently unlocked or was never locked out.

The counter resets after a preconfigured time from the last login failure.

Example scenario

Chris has never been locked out of his account. The attempts threshold is set at 5 for his site. He tries 3 times unsuccessfully on Friday at 09h30. His attempts count is now at 3. Well beyond the preconfigured time for the counter reset, he tries twice more at 16h30 before he leaves work. His count is at 2.

Melanie was locked out a few weeks ago, but she is now unlocked. The attempts threshold is set at 3 for her site. She tries 2 times unsuccessfully on Friday at 10h15. Her attempts count is now at 2. She grabs a coffee and tries again at 10h35. Her attempts count is now at 3, because the preconfigured time for count reset wasn’t yet met.

The user is locked out.

The counter resets after a preconfigured time from the lockout_end_date.

Example scenario

Elisabeth tried 4 times unsuccesfully to log in to her account when her site threshold was 3 wrong attempts. She was blocked. Her account lockout_end_date is set for 2023-02-21T12:15:09.536Z. Her count resets after the preconfigured time after the lockout end date.

For more on this field, see User Profile.

Configure user lockout

You can configure the User lockout directly in the ReachFive Console. The default settings are 5 failed login attempts and 5 minutes lockout.

user lockout console

Go to Settings Security User lockout.
Set the Number of allowed failed attempts.

This is the number of times a user can have a failed login before being locked out of their account.

Set the First lockout duration. This is the initial lockout period (in minutes).

If a user has another subsequent failed login attempt after the initial lockout period, the time set here doubles up to a maximum of 24 hours. After the lockout period reaches 24 hours, then each subsequent duration is also 24 hours.

Don’t forget to Save your input.

Lockout flow

In the example flow here, the following is configured:

Number of allowed failed attempts: 3
First lockout duration: 5 minutes

Scenarios

Here are a few different user scenarios to see when users are locked out.

Number of allowed failed attempts: 5
First lockout duration: 7 minutes

Mehdi: Three failed login attempts. The 4th attempt is successful. No lockout.
Thomas: Five failed login attempts. The 6th attempt is successful. No lockout.
Alex locked out: Six failed login attempts. The user is locked out for 7 minutes.
Francois locked out 2x: Six failed login attempts. The user is locked out for 7 minutes. He tries again after the 7 minutes and fails. He is now locked out for 14 minutes.
Marion locked out ⇒: Six failed login attempts. The user is locked out for 7 minutes. She resets her password during this time and successfully logs in with the new password. She’s unblocked at this point.