Skip to main content

Identifier lockout

The identifier lockout policy allows you to customize your own sentinel policy settings to protect against brute force access. This policy works by monitoring authentication attempts for each identifier (such as usernames or email addresses) and implementing restrictions when suspicious activity is detected. If a user exceeds the allowed number of failed authentication attempts, the system temporarily locks the identifier, preventing further authentication attempts for a specified duration. This helps to mitigate brute-force attacks and enhances overall account security.

Application of the policy

  • Identifier sign-in: Password and verification code
  • Identifier sign-up: Email/phone verification code
  • Reset password: Email/phone verification code

Policy settings

By default, an identifier is locked for 60 minutes after 100 failed authentication attempts.

To customize the policy settings or manually unblock verified users, visit Console > Security > General and enable "Customize lockout experience".

Configure the following settings:

  1. Maximum failed attempts:

    • Limit the number of consecutive failed authentication attempts per identifier within an hour. If the limit is exceeded, the identifier will be temporarily locked out.
    • Default Value: 100

  2. Lockout duration (minutes):

    • Block all authentication attempts for the given identifier for a specified period after exceeding the maximum failed attempts.
    • Default Value: 60 minutes

  3. Manual unblock

    • Administrators can manually unblock users by providing a list of identifiers that need to be released from the lockout. The given identifiers must be precisely matched with the identifiers being blocked.

Lockout webhook

When an identifier is locked due to exceeding the maximum failed attempts, Logto triggers the Identifier.Lockout webhook event, enabling automated responses to suspicious account activity.

Common use cases:

  • Send security alerts to your team for immediate review
  • Notify users via SMS or push notification about the lockout and provide recovery instructions

Navigate to Console > Webhooks to configure your webhook. For detailed event structure and configuration, see Webhooks.