Brute-force Protection

Account Lockout Policy safeguards attacks towards a user account from brute-force login attempts

Authgear offers brute-force protection by locking the account from login after a number of failed login attempts. Further login attempts can be limited or blocked. This policy can apply to

  • An IP address fails multiple times to login as the same user

  • The same account fails to login multiple times regardless of IP addresses

The account remains blocked for an amount of "Lockout Duration" configured by the admin. The attempt count is reset after a successful login or the "Reset duration" passed after the last failure.

To setup the account lockout policy:

  1. Go to Portal > Authentication > Login Methods

  2. Go to the Account Lockout Policy tab

  3. Enable the policy

  4. Save the config

Lockout Threshold

In this section, you can control after how many failed attempts the lockout will take effects, and the reset duration of the attempts. By default, the lock will be reset after 24 hours has passed from the last failed login attempt.

Lockout Duration

This section determined the amount of time an account will remain locked when it has exceeded the lockout threshold.

In the above example, the lockout duration starts off with 1 minute. For every subsequent failed attempt, lockout duration will increase by 2 times, which means the account will remain locked for 2 minutes after the next attempt, until it reaches the maximum of 60 minutes.

Lockout Type

You can choose to protect against only the attempts from a single IP address or from any devices regardless of the IP address.

Apply only to selected authenticators

The brute-force protection do not only applies to password, it can also protect against other authenticator attempts.

Last updated