Identifier lockout
Sentinel
The identifier lockout policy allows you to customize your own sentinel policy settings to protect against account sign-in/sign-up abuse. This policy works by monitoring authentication attempts for each identifier (such as usernames or email addresses) and implementing restrictions when suspicious activity is detected. If a user exceeds the allowed number of failed authentication attempts, the system temporarily locks the identifier, preventing further authentication attempts for a specified duration. This helps to mitigate brute-force attacks and enhances overall account security.
Visit the Console > Security > General to configure the identifier lockout settings.
Applicaiton of the policy
The identifier lockout (sentinel) policy will be applied in the following user interaction flows:
- Identifier sign-in: Password and verification code
- Identifier sign-up: Email/phone verification code
- Reset password: Email/phone verification code
Policy settings
-
Maximum failed attempts:
- Limit the number of consecutive failed authentication attempts per identifier within an hour. If the limit is exceeded, the identifier will be temporarily locked out.
- Default Value: 100
-
Lockout duration (minutes):
- Block all authentication attempts for the given identifier for a specified period after exceeding the maximum failed attempts.
- Default Value: 60 minutes
-
Manual unblock:
- Administrators can manually unblock users by providing a list of identifiers that need to be released from the lockout. The given identifiers must be precisely matched with the identifiers being blocked.