Skip to Content
Clerk logo

Clerk Docs

Ctrl + K
Go to clerkstage.dev

Brute force attacks and locking user accounts

User accounts are a vector for malicious attacks for many reasons, from impersonation to collecting personally identifiable information (PII). One method is a "brute force" attack, where a script will attempt many different passwords to log into an account. One line of defense against these attacks is to temporarily deny attempts to log into accounts that attempt too many failed logins in a short period of time. Locking out login attempts disrupts the attack and makes the account a less attractive target.

How Clerk protects against brute force attacks

Account Lockout is a Clerk feature that enables you to protect your users from brute-force attacks on static credentials. If enabled on your instance, Clerk will automatically track users' failed verification attempts when they try to authenticate via password on backup code.

How Account Lockout works

If the maximum allowed attempts are reached, the user will be locked out from signing in again until the lockout duration lapses. Lockout can also be configured to never expire, in which case the user will not be able to sign in unless an admin unlocks them.

An admin can unlock a user before the expiry of the lockout period via the Clerk Dashboard.

Defaults

By default, Clerk applications will lock user accounts after 100 failed login attempts and require a one hour cool down period before anyone can attempt to log into that account again. (While 100 attempts may seem like a lot to a human, it is very easy to reach this maximum for a bot!)

You can customize the number of times a login can be attempted before the account is locked, and how long lockouts last.

Actions

Clerk measures the following actions as part of Account Lockout:

  • Password attempts
  • Password resets
  • Backup code requests
  • Email & Phone codes
  • TOTP attempts

What a locked out user sees

When a user exceeds the maximum login attempts, the Clerk <SignIn /> component will inform them of how long they have been locked out for and to contact support for more information.

The Clerk component login form with a red alert stating 'Your account is locked. You will be able to try again in 59 minutes. For more information, please contact support.'

Currently, users cannot unlock their own account or submit a request to the admin to be unlocked ("self-service unlock"). This is an upcoming feature, so please check Clerk's changelog(opens in a new tab) periodically to find out when it is available. Until then, you can programmatically lock and unlock user accounts with a custom flow.

What did you think of this content?

Clerk © 2024