Account Lockout
A security control that disables an account after multiple failed login attempts to prevent brute-force attacks.
What is Account Lockout?
Account Lockout is a security mechanism that temporarily or permanently disables a user account after a predefined number of consecutive failed authentication attempts. This control is designed to mitigate brute-force attacks, credential stuffing, and password guessing attempts.
Account lockout policies typically define:
- Lockout threshold: Number of failed attempts before lockout (e.g., 5 attempts)
- Lockout duration: How long the account remains locked (e.g., 15 minutes or indefinite)
- Reset mechanism: How the account can be unlocked (automatic timer, admin unlock, or self-service)
Modern CIAM platforms implement intelligent lockout that considers factors like IP address, device fingerprinting, and behavioral patterns to distinguish between legitimate users and attackers.
Analogy
Think of account lockout like a bank ATM that swallows your card after 3 wrong PIN attempts. It's a safety feature that prevents thieves from guessing your PIN by trying hundreds of combinations - the machine locks down to protect your account.
Types and Use Cases
- Consumer Applications: Lock accounts after 5 failed attempts to prevent credential stuffing attacks
- Enterprise SSO: Implement progressive lockout with admin notification for internal systems
- Banking/Finance: Use strict lockout policies (3 attempts) with mandatory identity verification to unlock
- API Security: Lock service accounts after failed API authentication to prevent automated attacks
How it Works
{
"lockoutPolicy": {
"threshold": 5,
"windowMinutes": 15,
"lockoutDurationMinutes": 30,
"progressiveDelays": [2, 4, 8, 16, 32],
"notifyAdmin": true,
"unlockMethods": ["email-verification", "sms-otp", "admin-unlock"]
}
}Account Lockout vs Rate Limiting
Account Lockout
Rate Limiting
Account Lockout blocks the specific user account after failed attempts
Rate Limiting blocks IP addresses or requests regardless of account
Account Lockout is account-specific and affects the user
Rate Limiting is request-specific and affects the attacker's IP
Account Lockout can cause denial-of-service for legitimate users
Rate Limiting is more granular and flexible
Best Practices for Account Lockout
- Use progressive lockout: Implement increasing delays between attempts (2s, 4s, 8s) before full lockout
- Notify users: Send email/SMS alerts when account lockout occurs so legitimate users know they're under attack
- Provide self-service unlock: Allow users to unlock via email link or SMS OTP to reduce support tickets
How LoginRadius Powers Account Lockout
LoginRadius Identity Platform includes comprehensive account lockout protection as part of our security suite. Configure lockout thresholds, durations, and progressive delays through our admin console. We provide smart lockout that uses behavioral signals to reduce false positives, real-time security alerts via webhooks, and self-service unlock options (email/SMS) to empower users. LoginRadius also integrates with your SIEM for centralized security monitoring.
FAQs
Yes, attackers can intentionally lock out legitimate users by deliberately failing their login attempts (account lockout denial-of-service). To prevent this, use progressive lockout (increasing delays rather than immediate lockout), IP-based tracking (only lock if failures come from same IP), and self-service unlock options so users can quickly regain access.
Temporary lockout automatically unlocks after a set duration (e.g., 30 minutes) and is appropriate for most consumer apps. Permanent lockout requires manual admin intervention or identity verification and is used for high-security systems (banking, healthcare) or after repeated lockout incidents. Permanent lockout provides stronger security but increases support overhead.
LoginRadius provides configurable account lockout policies in our security settings. You can set threshold, duration, and progressive delays. We also offer smart lockout that considers device fingerprinting and IP reputation to distinguish between legitimate users and attackers. Our platform sends real-time alerts on lockout events and provides self-service unlock via email/SMS verification to reduce support burden.