How to lock-out a user if they enter a wrong password too many times

Our security team would like to ensure that if an app user uses an incorrect password too many times then their account becomes locked for a period - or until an admin resolves.

Is there some way of counting invalid login attempts?

1 Like

Hi there, @james.puddicombe… I’m surprised this question hasn’t been asked before, but I couldn’t seem to find a similar topic (I easily could have missed something, though). I’m also guessing there might be a plugin that accomplishes this task, but I don’t really go the plugin route. All of that being said, I tested the following solution, and it seems to produce the desired result.

First, I added a login attempts field to the User data type. With that field in place, the solution is as simple as adding the following workflow steps to the login workflow…

So, when the user enters an incorrect password, the workflow adds 1 to their login attempts field. After a successful login, the workflow sets that field back to 0.

With this workflow in place, you now have counter (i.e., the login attempts field) that you can check and then do whatever you want to do when that field reaches a certain number.

Anyway, that’s what I’ve got, and I hope it helps.




1 Like

@mikeloc I was going to suggest the same thing! :blush::+1:

Seems like a good option.

As an addition to that, you can also set a field to ‘locked’ and then set a scheduled workflow to run after a certain amount of time to ‘unlock’ it.

Hope that helps! :blush:


For All Your No-Code Education Needs:

  • One-on-One Tutoring
  • eLearning Hub
  • Video Tutorials
  • No-Code Classes

Thank you Mike - that’s a really nice solution!

I’m using 2fa, and there is a restriction that doesn’t allow a task after the login step.

Screenshot 2020-10-25 at 23.45.10

So I’m thinking of following your process, but resetting the counter at the load of the 2fa page instead of just after the login. Not sure if bubble always goes to the 2fa page, or only goes there when the 2fa token has expired. Perhaps it needs to be reset on every secured page in the app, as part of checking if the user has logged in!

Any thoughts?

Best wishes,

My pleasure, James… happy to help.

Hmm, maybe reset the counter via the Page is loaded action on the page the user lands on when they log in successfully?

1 Like

This topic was automatically closed after 70 days. New replies are no longer allowed.