Account lockout: failed login attempts
If a user repeatedly tries to log in on the /api/v1/password/login endpoint and fails, their account is automatically locked after 10 failed attempts. The amount of time between failed attempts must be greater than the reset timeframe to not count as a failed login attempt. Otherwise, the attempts are cumulative.
| See the loginWithPassword operation for more details. |
Example | Reset timeframe =
5 minutes- User A
-
Failed login attempt. User tries again in
4minutes. This counts as failed attempt2/10. - User B
-
Failed login attempt. User tries again in
6minutes. This counts as failed attempt1/10. - User C locked out
-
Failed login attempt. User tries again repeatedly every
4minutes for a total of10attempts. The user is locked out as they did not let the reset timeframe ever reach5minutes.