Hello, we're just going through some security certification work and one of the things the certification requires is various protections against brute force attempts. I can see in the docs reference to brute force protection against Login and Registration and I can confirm that it is working, what I can't find is reference to what the rate-limiting period is for those endpoints. Is this provided anywhere, and is this configurable at all?

We have the general rate-limits documented here: https://www.ory.sh/docs/guides/rate-limits

This is for Cyber Essentials certification with the UK's NCSC, https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-January-2023.pdf Details on the 13th page of that doc (it's numbered as 12 on the page) Effectively what we're looking to cover is for non-MFA secured accounts (as we don't want to enforce MFA for our customers, we want them to opt-in for now) a requirement is on throttling the rate of login attempts. For a single email address the rate limit guidance is 10 unsuccessful attempts in 5 minutes. I don't this is covered in detail on the Project Rate Limits page.

exactly, we do not have such specific rate-limits on a user-basis yet