How to lock-out a user if they enter a wrong password too many times

james.puddicombe · 2020-10-23T07:25:41.262Z

Our security team would like to ensure that if an app user uses an incorrect password too many times then their account becomes locked for a period - or until an admin resolves.

Is there some way of counting invalid login attempts?

mikeloc · 2020-10-23T12:41:58.552Z

Hi there, @james.puddicombe… I’m surprised this question hasn’t been asked before, but I couldn’t seem to find a similar topic (I easily could have missed something, though). I’m also guessing there might be a plugin that accomplishes this task, but I don’t really go the plugin route. All of that being said, I tested the following solution, and it seems to produce the desired result.

First, I added a login attempts field to the User data type. With that field in place, the solution is as simple as adding the following workflow steps to the login workflow…

login1696×607 23.3 KB

login2683×517 17.1 KB

So, when the user enters an incorrect password, the workflow adds 1 to their login attempts field. After a successful login, the workflow sets that field back to 0.

With this workflow in place, you now have counter (i.e., the login attempts field) that you can check and then do whatever you want to do when that field reaches a certain number.

Anyway, that’s what I’ve got, and I hope it helps.

Best…
Mike

TipLister · 2020-10-23T13:11:41.064Z

elegant!

J805 · 2020-10-23T14:56:30.177Z

@mikeloc I was going to suggest the same thing!

Seems like a good option.

As an addition to that, you can also set a field to ‘locked’ and then set a scheduled workflow to run after a certain amount of time to ‘unlock’ it.

Hope that helps!

@j805 www.NoCodeMinute.com

For All Your No-Code Education Needs:

One-on-One Tutoring
eLearning Hub
Video Tutorials
No-Code Classes

james.puddicombe · 2020-10-25T23:50:00.965Z

Thank you Mike - that’s a really nice solution!

I’m using 2fa, and there is a restriction that doesn’t allow a task after the login step.

So I’m thinking of following your process, but resetting the counter at the load of the 2fa page instead of just after the login. Not sure if bubble always goes to the 2fa page, or only goes there when the 2fa token has expired. Perhaps it needs to be reset on every secured page in the app, as part of checking if the user has logged in!

Any thoughts?

Best wishes,
James

mikeloc · 2020-10-25T23:58:04.989Z

My pleasure, James… happy to help.

Hmm, maybe reset the counter via the Page is loaded action on the page the user lands on when they log in successfully?

system · 2021-01-01T07:25:43.993Z

This topic was automatically closed after 70 days. New replies are no longer allowed.