Account Lockout
What is Account Lockout?
Account LockoutA control that temporarily or permanently blocks sign-in attempts after a configured number of consecutive failures, slowing online password-guessing attacks.
Account lockout disables an account after a threshold of failed authentication attempts is reached, raising the cost of online brute-force and password-spraying attacks. Active Directory, Entra ID, Okta, and most authentication platforms expose a triple: maximum attempts, observation window, and lockout duration (for example, 10 failures in 10 minutes leading to a 30-minute lockout). NIST SP 800-63B recommends rate limiting and intelligent throttling rather than aggressive lockouts because attackers can weaponize them to cause denial of service. Modern implementations therefore combine progressive delays, source-IP throttling, CAPTCHAs, and risk signals from systems like Microsoft Smart Lockout, which only locks the attacker's source while preserving legitimate logins.
● Examples
- 01
Microsoft Entra ID Smart Lockout that blocks the attacker's IP after 10 bad attempts while letting the real user sign in from another network.
- 02
Banking portal that locks a card-holder's online access for 30 minutes after 5 wrong PINs.
● Frequently asked questions
What is Account Lockout?
A control that temporarily or permanently blocks sign-in attempts after a configured number of consecutive failures, slowing online password-guessing attacks. It belongs to the Identity & Access category of cybersecurity.
What does Account Lockout mean?
A control that temporarily or permanently blocks sign-in attempts after a configured number of consecutive failures, slowing online password-guessing attacks.
How does Account Lockout work?
Account lockout disables an account after a threshold of failed authentication attempts is reached, raising the cost of online brute-force and password-spraying attacks. Active Directory, Entra ID, Okta, and most authentication platforms expose a triple: maximum attempts, observation window, and lockout duration (for example, 10 failures in 10 minutes leading to a 30-minute lockout). NIST SP 800-63B recommends rate limiting and intelligent throttling rather than aggressive lockouts because attackers can weaponize them to cause denial of service. Modern implementations therefore combine progressive delays, source-IP throttling, CAPTCHAs, and risk signals from systems like Microsoft Smart Lockout, which only locks the attacker's source while preserving legitimate logins.
How do you defend against Account Lockout?
Defences for Account Lockout typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Account Lockout?
Common alternative names include: Lockout policy, Login lockout.
● Related terms
- identity-access№ 795
Password
A secret string of characters that a user supplies to prove identity to a system, traditionally the dominant single-factor authentication mechanism.
- identity-access№ 798
Password Policy
A documented set of rules governing how user passwords are created, stored, rotated, and validated to balance security against usability for the workforce.
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- attacks№ 800
Password Spraying
A low-and-slow attack that tries a small set of common passwords against many user accounts, staying under lockout and rate-limit thresholds.
- identity-access№ 940
Risk-Based Authentication (RBA)
An authentication strategy that computes a real-time risk score for each sign-in and varies the response — allow, challenge, or block — based on that score.
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.