Docs

Brute force attacks and locking user accounts

User accounts are a vector for malicious attacks for many reasons, from impersonation to collecting personally identifiable information (PII). One method is a "brute force" attack, where a script will attempt many different passwords to sign into an account. One line of defense against these attacks is to temporarily deny attempts to sign into accounts that attempt too many failed sign-ins in a short period of time. Locking out sign-in attempts disrupts the attack and makes the account a less attractive target.

How Clerk protects against brute force attacks

Account lockout is a Clerk feature that enables you to protect your users from brute-force attacks on static credentials. If enabled on your instance, Clerk will automatically track users' failed verification attempts when they try to authenticate via password on backup code.

How account lockout works

If the maximum allowed attempts are reached, the user will be locked out from signing in again until the lockout duration lapses. Lockout can also be configured to never expire, in which case the user will not be able to sign in unless an admin unlocks them.

An admin can unlock a user before the expiry of the lockout period via the Clerk Dashboard.

Defaults

By default, Clerk applications will lock user accounts after 100 failed sign-in attempts and require a one hour cool down period before anyone can attempt to sign into that account again. (While 100 attempts may seem like a lot to a human, it is very easy to reach this maximum for a bot!)

You can customize the number of times a sign-in can be attempted before the account is locked, and how long lockouts last.

Actions

Clerk measures the following actions as part of account lockout:

  • Password attempts
  • Password resets
  • Backup code requests
  • Email & Phone codes
  • TOTP attempts

What a locked out user sees

When a user exceeds the maximum sign-in attempts, the Clerk <SignIn /> component will inform them of how long they have been locked out for and to contact support for more information.

The Clerk component sign-in form with a red alert stating 'Your account is locked. You will be able to try again in 59 minutes. For more information, contact support.'

Note

Currently, users cannot unlock their own account or submit a request to the admin to be unlocked ("self-service unlock"). This is an upcoming feature, so see the changelog periodically to find out when it is available. Until then, you can programmatically lock and unlock user accounts with a custom flow.

Feedback

What did you think of this content?

Last updated on