This feature is controlled by a feature flag and may not yet be enabled on all instances.
How it works
- Each time someone enters the wrong password or an incorrect two-factor authentication code, the failed attempt counter increments.
- After 10 failed attempts, the account is locked and the user cannot log in.
- A successful login resets the counter back to zero.
What locked users see
When a locked user tries to log in, they see an error indicating their account has been locked. They cannot log in even with the correct password until an admin unlocks the account.Unlocking a user (admins)
Organization admins can unlock a user from the admin panel:What triggers the counter
The failed attempt counter increments when:- An incorrect password is entered
- An incorrect two-factor authentication (2FA) code is provided
- An incorrect backup code is used
- The email address does not match any account
- The account is already locked
- Rate limiting has been exceeded for that email
Best practices
- Enable two-factor authentication to add an extra layer of security beyond passwords.
- Use strong, unique passwords to reduce the risk of brute-force attacks succeeding before lockout kicks in.
- Monitor locked accounts regularly in the admin panel. Frequent lockouts for the same user may indicate a targeted attack.
- Educate your team so they know to contact an admin if they get locked out, rather than creating a new account.