Implement account lock after multiple failed login attempts
Description
Implement an adaptive account lock mechanism that temporarily locks a user account after multiple failed login attempts to prevent brute-force attacks.
The lock duration should:
Start at 1 minute after initial threshold breach.
Increase progressively with repeated failed attempts.
Cap lock duration at 15 minutes.
What Needs to Be Done
Track failed login attempts per user.
Store:
Failed attempt count
Lock expiration timestamp
Prevent login while account is locked.
Return appropriate error message during lock period.
Reset attempt counter upon successful login.
Ensure rate limiter logic remains unaffected.
Acceptance Criteria
Account locks after defined failed attempts.
Lock duration increases progressively.
Maximum lock time does not exceed 15 minutes.
Successful login resets lock state.
No breaking changes to existing auth flow.
Implement account lock after multiple failed login attempts
Description
Implement an adaptive account lock mechanism that temporarily locks a user account after multiple failed login attempts to prevent brute-force attacks.
The lock duration should:
Start at 1 minute after initial threshold breach.
Increase progressively with repeated failed attempts.
Cap lock duration at 15 minutes.
What Needs to Be Done
Track failed login attempts per user.
Store:
Failed attempt count
Lock expiration timestamp
Prevent login while account is locked.
Return appropriate error message during lock period.
Reset attempt counter upon successful login.
Ensure rate limiter logic remains unaffected.
Acceptance Criteria
Account locks after defined failed attempts.
Lock duration increases progressively.
Maximum lock time does not exceed 15 minutes.
Successful login resets lock state.
No breaking changes to existing auth flow.