Introduction
In order to lockout a user account in ASP.NET Identity after several failed login attempts, we use the shouldLockout property.
shouldLockout
The shouldLockout property indicates that the user account should be locked if the sign in operation fails.
Usage
All you have to do is to set the shouldLockout property to true in the SignIn method :
var result = SignInManager.PasswordSignIn(model.Email, model.Password, model.RememberMe, shouldLockout: true);This enables login failures to trigger account lockout. By default, ASP.NET Identity is programmed to lockout a user for 5 minutes after 5 failed login attempts. To change this default behaviour, go to App_Start > IdentityConfig.cs and change the default configuration depending on your requirements.
// Configure user lockout defaults
manager.UserLockoutEnabledByDefault = true;
manager.DefaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(5); // lockout timespan
manager.MaxFailedAccessAttemptsBeforeLockout = 5; // number of failed login attempts before lockout
The number of current failed login attempts performed by a user is stored in the AccessFailedCount property.
Note : After reaching the value defined in the MaxFailedAccessAttemptsBeforeLockout property, the value of the
AccessFailedCount property gets reset automatically to 0 .