Lockout a user account after several failed login attempts in ASP.NET Identity


In order to lockout a user account in ASP.NET Identity after several failed login attempts, we use the shouldLockout property.


The shouldLockout property indicates that the user account should be locked if the sign in operation fails.


All you have to do is to set the shouldLockout property to true in the SignIn method :

var result = SignInManager.PasswordSignIn(model.Email, model.Password, model.RememberMe, shouldLockout: true);

This enables login failures to trigger account lockout. By default, ASP.NET Identity is programmed to lockout a user for 5 minutes after 5 failed login attempts. To change this default behaviour, go to App_Start > IdentityConfig.cs and change the default configuration depending on your requirements.

// Configure user lockout defaults
manager.UserLockoutEnabledByDefault = true;
manager.DefaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(5); // lockout timespan
manager.MaxFailedAccessAttemptsBeforeLockout = 5; // number of failed login attempts before lockout

The number of current failed login attempts performed by a user is stored in the AccessFailedCount property.

user properties in asp.net identity

Note : After reaching the value defined in the MaxFailedAccessAttemptsBeforeLockout property, the value of the AccessFailedCount property gets reset automatically to 0 .