Customize max sign-in attempts and duration of user lockout
Clerk provides an Account Lockout feature in order to protect user credentials against brute force attacks. You can customize the number of times a sign in can be attempted before the account is locked to prevent further sign-in attempts, and how long such a lockout lasts.
This feature is applicable to user accounts that use passwords(opens in a new tab) or backup codes(opens in a new tab).
- In your Clerk Dashboard, navigate to User & Authentication > Attack Protection(opens in a new tab).
- To change the number of failed attempts before a user is locked out, under Maximum attempt limit, enter a new number of failed attempts allowed. (The default is 100 attempts.)
- To change the duration, under Lockout duration, select Time limit. Then, select the unit of time (minutes/hours/days/years) and enter the number of units you want lockouts to last.
- Select Save changes to apply your settings.
Lock a user account forever until an admin unlocks the account
- In your Clerk Dashboard(opens in a new tab), navigate to User & Authentication > Attack Protection(opens in a new tab).
- Under Lockout duration, select Indefinite Lockout.
- Select Save changes to apply your settings.
Last updated on March 8, 2024