Customize max sign-in attempts and duration of user lockout
Clerk provides an Account Lockout feature in order to protect user credentials against brute force attacks. You can customize the number of times a sign in can be attempted before the account is locked to prevent further sign-in attempts, and how long such a lockout lasts.
- In your Clerk Dashboard, navigate to User & Authentication > Attack Protection.
- To change the number of failed attempts before a user is locked out, under Maximum attempt limit, enter a new number of failed attempts allowed. (The default is 100 attempts.)
- To change the duration, under Lockout duration, select Time limit. Then, select the unit of time (minutes/hours/days/years) and enter the number of units you want lockouts to last.
- Select Save changes to apply your settings.
![](/_next/image?url=%2F_next%2Fstatic%2Fmedia%2F_docs%2Fmain%2Fsecurity%2Fuserlock_custom-attempts-and-duration.webp&w=3840&q=75)
Lock a user account forever until an admin unlocks the account
- In your Clerk Dashboard, navigate to User & Authentication > Attack Protection.
- Under Lockout duration, select Indefinite Lockout.
- Select Save changes to apply your settings.
![](/_next/image?url=%2F_next%2Fstatic%2Fmedia%2F_docs%2Fmain%2Fsecurity%2Fuserlock_indefinite.webp&w=3840&q=75)