/
Contact usSee pricingStart building
    Introduction
    Support
      Overview
    Message deliverability
      Overview
      Email troubleshooting
      SMS and WhatsApp troubleshooting
    Platform
      Account enumeration
      Supported browsers
      IP validation
      Rate limits
      App store reviews
      User locks
    Security & trust
      Security
      Privacy
      Compliance
    Glossary
Get support on SlackVisit our developer forum

Contact us

Home

/

Resources

/

Platform

/

User locks

User Locks

User Locks is a security feature that automatically locks user accounts after a specified number of failed authentication attempts. This helps protect against brute force attacks and unauthorized access attempts, providing a cooldown period before further attempts can be made.

Overview

When a user fails to authenticate multiple times in a row, their account will be temporarily locked and future authentication attempts will be denied. While a lock is not active, the counter becomes reset upon a successful authentication attempt. Users can be unlocked in one of three ways:

  1. The lock expires
  2. The user contacts support, who then manually removes the lock via the dashboard
  3. A project may optionally have Stytch send an email allowing users to unlock their account themselves

The lock duration and number of allowed failed attempts are configurable at the project level via the dashboard.

User Lock TTL

The duration that the user is locked out once a lock is created. User locks can have a duration between 5 minute through 7 days. The default lock duration is 1 hour. This can be configured as a project setting listed as "User Lock TTL".

User Lock Threshold

The specified number of consecutive failed authentication attempts before a user lock becomes active. This value can range between 1 through 100. The default value for this is 10. This can be configured as a project setting listed as "User Lock Threshold".

Self-Service Unlocking

This indicates whether you want users to be able to manually unlock themselves via an Email Magic Link or not. When enabled, Stytch will send an email to the User containing a link that will allow the user to unlock themselves. This setting is off by default. This can be configured in the dashboard as a project setting listed under "Allow self serve unlock".

To use self-serve unlocking, projects will need to have a default redirect URL set-up. For Consumer applications, this needs to be of the Login type. For B2B applications, this needs to be either a Login or Discovery type.

Best Practices

  1. Set appropriate thresholds for failed attempts based on your security requirements
  2. Understand how long you want locks to last
  3. Monitor lock events for potential security threats
  4. Consider whether you want to support self-service unlocking or not

Overview

User Lock TTL

User Lock Threshold

Self-Service Unlocking

Best Practices