Brute force attacks and locking user accounts
User accounts are a vector for malicious attacks for many reasons, from impersonation to collecting personally identifiable information (PII). One method is a "brute force" attack, where a script will attempt many different passwords to sign into an account. One line of defense against these attacks is to temporarily deny attempts to sign into accounts that attempt too many failed sign-ins in a short period of time. Locking out sign-in attempts disrupts the attack and makes the account a less attractive target.
How Clerk protects against brute force attacks
Account Lockout is a Clerk feature that enables you to protect your users from brute-force attacks on static credentials. If enabled on your instance, Clerk will automatically track users' failed verification attempts when they try to authenticate via password on backup code.
How Account Lockout works
If the maximum allowed attempts are reached, the user will be locked out from signing in again until the lockout duration lapses. Lockout can also be configured to never expire, in which case the user will not be able to sign in unless an admin unlocks them.
An admin can unlock a user before the expiry of the lockout period via the Clerk Dashboard.
Defaults
By default, Clerk applications will lock user accounts after 100 failed sign-in attempts and require a one hour cool down period before anyone can attempt to sign into that account again. (While 100 attempts may seem like a lot to a human, it is very easy to reach this maximum for a bot!)
Actions
Clerk measures the following actions as part of Account Lockout:
- Password attempts
- Password resets
- Backup code requests
- Email & Phone codes
- TOTP attempts
What a locked out user sees
When a user exceeds the maximum sign-in attempts, the Clerk <SignIn /> component will inform them of how long they have been locked out for and to contact support for more information.
