It is a common thing to block users when a number of failed login attempts are made. This behaviour will also help
to secure your users from slow brute-force attacks.
It is easy to make multiple attempts from different IPs with today's technology or tools.
In this case, Brute-Force Protection remains insufficient to protect your users' accounts.
While brute-force protection prevents attempts from single source (IP), this policy will count failed attempts from all sources.
If this is enabled, your users will receive an email informing them that their account is blocked. Blocked Account template will be used for this email.
Allow User Unblock
If this is enabled, your users could unblock their accounts by resetting their passwords with the link received in the email.
Reset Attempts After Successful Login
If this is enabled, the failed login counter will be reset when user successfully logs in
Attempts
Attempt count for when to block user account
Duration
Attempts will be counted for the specified seconds.
Block Duration
How many seconds should PlusAuth block the IP for the specified user.
For example, with following configuration
Send Notification =true
Allow User Unblock =true
Attempts =50
Duration =86400(1 day in seconds)
Block Duration =31540000(1 year in seconds)
if a user fails to login to their account 50 times (Attempts) in a day (Duration), their account will be
blocked for 1 year (Block Duration), and they will receive configured Blocked Account email.
Blocked accounts could be unblocked anytime by administrators with Management API or dashboard.