Account lockout is an authentication control that temporarily or conditionally blocks further sign-in attempts after repeated failed login attempts.
Account lockout is an authentication control that temporarily or conditionally blocks further sign-in attempts after repeated failures. In plain language, it stops a login system from accepting unlimited guesses against the same account.
Account lockout matters because brute-force and password-spraying activity depends on repetition. If the system never slows or interrupts failed attempts, attackers get many chances to guess weak or reused credentials.
It also matters because the control can create its own operational risk. A policy that is too weak does little to slow abuse, while a policy that is too aggressive can lock out legitimate users or let attackers trigger disruption against real accounts.
Account lockout appears in workforce identity platforms, customer login systems, VPN portals, administrator sign-in flows, and password reset protections. Security teams review it alongside Authentication, Multi-Factor Authentication, Conditional Access, and Rate Limiting.
It is also reviewed during incident response. Repeated failed attempts against a small number of users can indicate targeted guessing, while broad low-volume failures across many accounts can point to Password Spraying.
| Approach | What it does | Main tradeoff |
|---|---|---|
| Hard lockout | Blocks sign-in after a threshold of failures | Stronger interruption, but higher chance of user disruption |
| Progressive delay | Adds wait time after repeated failures | Lower help-desk impact, but may slow attackers less |
| Risk-based challenge | Requires extra proof for suspicious attempts | More adaptive, but depends on reliable risk signals |
An employee mistypes a password several times from a new device. The identity platform pauses further attempts and requires a stronger verification step before the account can continue signing in. The pause reduces guessing risk without leaving the account permanently unavailable.
Account lockout is not the same as Multi-Factor Authentication. MFA strengthens identity proof, while lockout controls repeated failure patterns.
It is also different from Rate Limiting. Rate limiting usually manages request volume in a broader sense, while account lockout specifically changes sign-in behavior for a targeted identity or login flow.
It is a mistake to assume harsher settings are always better. A badly tuned lockout policy can become an availability problem instead of a useful security control.