It is a common thing to block users when a number of failed login attempts are made. This behaviour will also help to secure your users from slow brute-force attacks.

It is easy to make multiple attempts from different IPs with today's technology or tools. In this case, Brute-Force Protection remains insufficient to protect your users' accounts. While brute-force protection prevents attempts from single source (IP), this policy will count failed attempts from all sources.

To customize account blocking policy, go to Dashboard > Security and navigate to Account Blocking Policy.

Configuration

Field Description
Send Notification If this is enabled, your users will receive an email informing them that their account is blocked. Blocked Account template will be used for this email.
Allow User Unblock If this is enabled, your users could unblock their accounts by resetting their passwords with the link received in the email.
Reset Attempts After Successful Login If this is enabled, the failed login counter will be reset when user successfully logs in
Attempts Attempt count for when to block user account
Duration Attempts will be counted for the specified seconds.
Block Duration How many seconds should PlusAuth block the IP for the specified user.

For example, with following configuration

Send Notification = true
Allow User Unblock = true
Attempts = 50
Duration = 86400 (1 day in seconds)
Block Duration = 31540000(1 year in seconds)

if a user fails to login to their account 50 times (Attempts) in a day (Duration), their account will be blocked for 1 year (Block Duration), and they will receive configured Blocked Account email.

Blocked accounts could be unblocked anytime by administrators with Management API or dashboard.