Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 010

Account Lockout

Reviewed byCybersecurity entrepreneur & security researcher

What is Account Lockout?

Account LockoutA control that temporarily or permanently blocks sign-in attempts after a configured number of consecutive failures, slowing online password-guessing attacks.


Account lockout disables an account after a threshold of failed authentication attempts is reached, raising the cost of online brute-force and password-spraying attacks. Active Directory, Entra ID, Okta, and most authentication platforms expose a triple: maximum attempts, observation window, and lockout duration (for example, 10 failures in 10 minutes leading to a 30-minute lockout).

Lockout is double-edged. NIST SP 800-63B explicitly recommends rate limiting and intelligent throttling over aggressive lockouts, because an attacker who knows valid usernames can deliberately trip lockouts to cause a denial of service — locking real users out of payroll, email, or VPN. Aggressive thresholds also push attackers toward password spraying: trying one common password against thousands of accounts stays under any per-account counter, which is exactly how the 2020 attacks attributed to APT groups against Office 365 tenants evaded lockout.

Modern implementations therefore favour smarter controls: progressive (exponential) delays between attempts, source-IP and ASN throttling, CAPTCHA after a few failures, and risk signals. Microsoft Smart Lockout distinguishes the legitimate user from the attacker using familiar-location and device telemetry, locking only the malicious source while preserving real logins, and it tracks the last few wrong password hashes so repeated identical mistakes do not consume the budget. The strongest mitigation is removing the password as the single secret altogether — phishing-resistant MFA or passkeys make online guessing moot.

flowchart TD
  A[Login attempt] --> B{Credentials valid?}
  B -->|Yes| C[Grant access · reset counter]
  B -->|No| D[Increment failure counter]
  D --> E{Counter >= threshold<br/>within window?}
  E -->|No| F[Add progressive delay · CAPTCHA] --> A
  E -->|Yes| G{Smart signal:<br/>known device / location?}
  G -->|Yes legit user| H[Allow · soft challenge]
  G -->|No attacker source| I[Lock account or source<br/>for lockout duration]
  I --> J[Alert / risk engine]

Examples

  1. 01

    Microsoft Entra ID Smart Lockout that blocks the attacker's IP after 10 bad attempts while letting the real user sign in from another network.

  2. 02

    Banking portal that locks a card-holder's online access for 30 minutes after 5 wrong PINs.

Frequently asked questions

What is Account Lockout?

A control that temporarily or permanently blocks sign-in attempts after a configured number of consecutive failures, slowing online password-guessing attacks. It belongs to the Identity & Access category of cybersecurity.

What does Account Lockout mean?

A control that temporarily or permanently blocks sign-in attempts after a configured number of consecutive failures, slowing online password-guessing attacks.

How do you defend against Account Lockout?

Defences for Account Lockout typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for Account Lockout?

Common alternative names include: Lockout policy, Login lockout.

Related terms