Brute-force protections
Brute-force protection can guard against any attack that tries to crack secrets, such as passwords or passcodes by trial and error. It halts malicious actors once they reach the limit for unsuccessful attempts. Limiting the number of password or temporary passcode attempts should be one of your top priorities when it comes to account security.

While the resulting account lockout can mitigate brute force attacks, dictionary attacks, and credential stuffing, it can also lead to an unpleasant user experience. It's worth factoring in the honest mistakes legitimate users make when trying to log in when you set up restrictions. Strivacity's brute-force protection controls help you strike the right balance between ease of use and the risk levels specific to your organization.
Settings
Brute-force protection rules allow you to set how accounts can be disabled based on failed passwords and/or one-time passcode attempts.
Password failed attempts restriction | Description | Status |
---|---|---|
Terminate user session after ... attempts | Defines how many failed password attempts are allowed before the customer’s active session is terminated. | 3 tries are allowed by default. |
Temporary account lockout | When enabled, it locks the account for a limited time after a set number of failed password attempts. | Disabled by default. |
Lock account temporarily after ... attempts | Number of failed attempts that trigger a temporary lockout. | 10 attempts are allowed by default. |
Account lockout duration | How long the account stays locked before the customer can try again. | The duration is set to 15 minutes by default. |
Permanent lockout | When enabled, it permanently locks the account if failed attempts reach the permanent threshold. Only an administrator can unlock the account. | Disabled by default. |
Lock account permanently after ... attempts | Number of failed attempts that trigger a permanent lockout. | 10 attempts are allowed by default. |
OTP/TOTP failed attempts restriction | Description | Status |
---|---|---|
Terminate user session after ... attempts | Defines how many failed OTP/TOTP attempts are allowed before the customer’s active session is terminated. | 3 tries are allowed by default. |
Temporary account lockout | When enabled, it locks the account for a limited time after a set number of failed OTP/TOTP attempts. | Disabled by default. |
Lock account temporarily after attempts | Number of failed OTP/TOTP attempts that trigger a temporary lockout. | 3 attempts are allowed by default. |
Account lockout duration | How long the account stays locked before the customer can try again. | The duration is set to 15 minutes by default. |
Permanent lockout | When enabled, permanently locks the account if failed OTP/TOTP attempts reach the permanent threshold. Only an administrator can unlock the account. | Disabled by default. |
Lock account permanently after ... attempts | Number of failed OTP/TOTP attempts that trigger permanent lockout. | 3 attempts are allowed by default. |
- Temporary account lockout and Permanent lockout can both be enabled.
- Permanent lockout requires manual admin intervention to restore access.
- Lock attempts are counted when the account is unlocked and there is an incorrect password or OTP attempt.
- Counters for both temporary and permanent locks reset at the same time:
- On successful login
- When a temporary lock expires
- When an administrator unlocks the account.
For examples of how Adaptive Access policy settings interact with custom journeys and self-service unlock, see Account lockout scenarios.
Identifier failed attempts restriction | Description | Status |
---|---|---|
Terminate user session after ... attempts | Defines the number of unsuccessful tries a user can have when entering an identifier before they get locked out of the account. | 3 tries are allowed by default. |
Additional settings | Description | Status |
---|---|---|
Expose attempt limits to the login flows | Allows the number of failed password, passcode, and identifier attempts to be shared with the login and My Account experiences. This helps you inform customers how close they are to a lockout or session termination. | Disabled by default. |
When Expose attempt limits to the login flows is enabled, the attempt counts are returned in API responses during login journeys and can be used in your front end to display dynamic warnings or messages. Leave disabled if you don’t want this information exposed.
Updated about 12 hours ago