Lock out users after multiple wrong passwords

Currently our apps are vulnerable to brute force attacks on passwords since an unlimited number of login attempts are allowed. This goes against best practices established in ISO 270001, FFIEC (banking) and NIST guidelines. This would be particularly important if eCommerce features are added.

It would be great if we could limit the number of attempts and then allow users to reset their passwords. Bonus points if the password reset can be via email or SMS. Double bonus if the number of attempts can be set based on a value in a table.


We're excited to announce that this feature, Failed Logins, is now available for Pro, Corporate and Plus plans!

You can read about options for this Failed Logins and how to set up this feature in our "Live App Security Settings: Failed Logins" article.

This doesn't seem to be live, correct? Is it still planned? Seems like a useful feature.

any news on this one Brandon?

Soon -- development is complete, just finalizing testing now.

Hi Brandon,

Any idea on the timeline for this?

As an alternative, does anybody have any feedback on embedding an app on a webpage without app-based user logins, and using the webpage to control the logins to the page with the embedded app (ie wordpress, etc)?

In the works!

This is needed because many apps contain personal information like addresses and phone numbers as well. It is a safety issue. I think it would be fine if Knack just set all password logins to three attempts max. I do not need to set the number attempts.