Docs

Customize max sign-in attempts and duration of user lockout

Clerk provides an Account Lockout feature in order to protect user credentials against brute force attacks. You can customize the number of times a sign in can be attempted before the account is locked to prevent further sign-in attempts, and how long such a lockout lasts.

Note

This feature is applicable to user accounts that use passwords or backup codes.

  1. In your Clerk Dashboard, navigate to User & Authentication > Attack Protection.
  2. To change the number of failed attempts before a user is locked out, under Maximum attempt limit, enter a new number of failed attempts allowed. (The default is 100 attempts.)
  3. To change the duration, under Lockout duration, select Time limit. Then, select the unit of time (minutes/hours/days/years) and enter the number of units you want lockouts to last.
  4. Select Save changes to apply your settings.

Lock a user account forever until an admin unlocks the account

  1. In your Clerk Dashboard, navigate to User & Authentication > Attack Protection.
  2. Under Lockout duration, select Indefinite Lockout.
  3. Select Save changes to apply your settings.

Feedback

What did you think of this content?

Last updated on