FusionAuth
Allow a user to unlock their account from failed login attempts if they go through the forgot password process
Allow a user to unlock their account from failed login attempts if they go through the forgot password process
Problem
Currently when a user is locked out due to typing their password incorrectly multiple times that lock is not removed if they go through the "forgot password" process and reset their password.
Solution
It would be nice either as an option or a default it were possible to unlock the user's failed login attempts upon successfully reseting their password.
Alternatives/workarounds
The current work around is to use our api to first find the user information after they reset their password, look at that user's actions, see if they have a "failed attempts" action blocking them, and then delete that action.
Related
- https://github.com/FusionAuth/fusionauth-issues/issues/1394
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
Can a Google SSO user inadvertently lock account by making repeated attempts using the FusionAuth login fields? What then is the self-help fix? Set a password on the account that should be using SSO? Or should successful login via SSO clear the lock?
Are there multiple types of account locking? The UI seems to support admin locking of an account (useful). The retry lockout seems to be newly supported in the API but not in the UI so I'm not sure if there is a visual indicator / control for retry lockout. Of course an admin lock shouldn't be reset by user doing a password reset.
This functionality would be very useful as it takes away the manual work from our sys admins having to "unlock" a user's account. We currently have this functionality with Auth0 where if a user's account get's locked after triggering the brute-force password attempts. The user then receives an email where they can recover their account and reset their password. This functionality would be nice, but it would be sufficient if the user followed the "Forgot password" workflow and once they receive the email sent from FusionAuth and reset their password, the User Action would be deleted and their account would be "unlocked".
