Changing password after lockout doesn't reset failed attempts count



  • We're implementing a mechanism to lock a user out with a user action after a number of failed login attempts. We want this lockout to persist until the user changes their password.

    What we find is that if we create and then delete the lockout action and then the user tries to login again the account is locked after a single failed login attempt. We're expecting that after the lockout action is removed that the user has another number of failed login attempts to go through before a lockout again.

    It would seem like this is a bug, but we can probably work around the issue if there is an API that could be called which would reset the user's failed login count.

    Thanks



  • @travis-milum

    Thanks for the feedback. Let me review and report back.

    Thanks,
    Josh



  • https://github.com/FusionAuth/fusionauth-issues/issues/1394 - logged for feature tracking. Feel free to add your own comments or observations as you see fit


Log in to reply