Overview
When a user fails to authenticate multiple times in a row, their account will be temporarily locked and future authentication attempts will be denied. While a lock is not active, the counter is reset upon a successful authentication attempt. Users can be unlocked in one of three ways:- The lock expires
- The user contacts support, who then manually removes the lock via the Dashboard
- A project may optionally have Stytch send an email allowing users to unlock their account themselves
User lock TTL
The duration that the user is locked out once a lock is created. User locks can have a duration between 5 minutes through 7 days. The default lock duration is 1 hour. This can be configured with the Project-level setting User Lock TTL.User lock threshold
The specified number of consecutive failed authentication attempts before a user lock becomes active. This value can range between 1 through 100. The default value for this is 10. This can be configured with the Project-level setting User Lock Threshold.Self-service unlocking
This indicates whether you want users to be able to manually unlock themselves via an Email Magic Link or not. When enabled, Stytch will send an email to the User containing a link that will allow the user to unlock themselves. This setting is off by default. This can be configured in the Dashboard with the Project-level setting Allow self serve unlock. To use self-serve unlocking, projects will need to have a default redirect URL set up. For Consumer applications, this needs to be of the Login type. For B2B applications, this needs to be either a Login or Discovery type. Unlock emails can be customized with custom email templates.Best practices
- Set appropriate thresholds for failed attempts based on your security requirements
- Understand how long you want locks to last
- Monitor lock events for potential security threats
- Consider whether you want to support self-service unlocking or not