Lock user after X attempts of login and unlock after a set Time

darshan.mehta · March 4, 2021, 2:54pm

Hello Auth0 Team,

I know this type of query has been asked in the past, however I just want to bring it up again and see if there are actual code snippets or feature added for this functionality:

Example:
After 5 failed login attempts, we set the user account to locked and either 2 things can happen:

After 24 hours the users account is set back to unlock and they can login
or
They can reset their password and unlock the account.

I haven’t seen this feature in the password policy settings but I know it may be possible via rules, but not sure how to capture failed login attempts (would this be a variable we set in the users meta data?)

Thank you!

konrad.sopala · March 5, 2021, 11:37am

Hey there!

As you said it’s not something that is officially documented. If you want to use rules for thatI would try digging in the context object inside rules. More about its properties here:

When it comes to locking user after 10 failed login attempts, the Brute Force protection is here for you: