Brute force attacks and locking user accounts
User accounts are a vector for malicious attacks for many reasons, from impersonation to collecting personally identifiable information (PII). One method is a "brute force" attack, where a script will attempt many different passwords to log into an account. One line of defense against these attacks is to temporarily deny attempts to log into accounts that attempt too many failed logins in a short period of time. Locking out login attempts disrupts the attack and makes the account a less attractive target.
How Clerk protects against brute force attacks
Account Lockout is a Clerk feature that enables you to protect your users from brute-force attacks on static credentials. If enabled on your instance, Clerk will automatically track users' failed verification attempts when they try to authenticate via password on backup code.
How Account Lockout works
If the maximum allowed attempts are reached, the user will be locked out from signing in again until the lockout duration lapses. Lockout can also be configured to never expire, in which case the user will not be able to sign in unless an admin unlocks them.
By default, Clerk applications will lock user accounts after 100 failed login attempts and require a one hour cool down period before anyone can attempt to log into that account again. (While 100 attempts may seem like a lot to a human, it is very easy to reach this maximum for a bot!)
Clerk measures the following actions as part of Account Lockout:
- Password attempts
- Password resets
- Backup code requests
- Email & Phone codes
- TOTP attempts
What a locked out user sees
When a user exceeds the maximum login attempts, the Clerk
<SignIn /> component will inform them of how long they have been locked out for and to contact support for more information.
Currently, users cannot unlock their own account or submit a request to the admin to be unlocked ("self-service unlock"). This is an upcoming feature, so please check Clerk's changelog(opens in a new tab) periodically to find out when it is available. Until then, you can programmatically lock and unlock user accounts with a custom flow.
Last updated on January 10, 2024