Brute-force attack protection with Account Lockout

What is Account Lockout?

Account Lockout is a feature that protects you and your users from brute-force attacks where bots or other nefarious actors repeatedly attempt to gain access. In addition to our other methods of bot detection, now, when a configurable limit of attempts is exceeded – the user's account will be temporarily locked, and they will be prompted to wait for a cooldown period before they can try again.

This prevents malevolent actors from guessing users' credentials by trying out multiple possible codes in rapid succession (brute-force attack).

What do I need to do to activate it?

Well, nothing. We've enabled Account Lockout on all accounts with default settings that shouldn't be intrusive for your users but will certainly inconvenience bots and scripts.

Starting today, you can head to our User & Authentication > Attack Protection and configure the settings to your application's needs. Specifically, you're able to adjust the number of failed attempts before a user's account is locked and the duration for which they will be prevented from signing in afterwards.

It is also possible to disable Account Lockout, but we highly recommend you keep it on :)

Head to our docs to learn more about brute force attacks and locking user accounts.