We have set some values for these system properties under Settings:

- Maximum authentication attempts before locking user = 2

- Failed login attempts checking period (minutes) = 10

However they don't seem to work. Even if we input incorrect password 3 times within 10 minutes, they user does not get locked out.


IDP is enabled and the above behavior is controlled by its settings:

Identity Service > Brute-force Protection > 

- Period for failed login tracking (minutes)

User lockout threshold (attempts) 

- User lockout period (minutes) 


You may find more information about it in our documentation:


Note: Even if a user is locked, you might still be getting an "Invalid username or password." error.

Quote from :

This message is the same error message as the message displayed for an invalid username or invalid password to ensure the attacker is unaware the account is disabled. 

Brute-force protection settings can be pronounced not working only if a user can still successfully log in to CP after 10 unsuccessful attempts made within a 10 minutes period (provided your settings are as in the above example).


Make sure that IDP settings satisfy your requirements.

Make sure you understand the definition of "locked", see Note above.