<@U04UQ68083H> Does ORY automatically lock account...
# ory-copilot
b
@chilly-king-10285 Does ORY automatically lock accounts after a certain number of failed login attempts?
b
A message from kapa.ai
Based on the provided knowledge sources, Ory Network does implement measures to protect against brute-force attacks, but it doesn't specifically mention automatic account locking after a certain number of failed login attempts. Here's what we know: 1. Ory Network provides protection against brute-force attacks by rate limiting requests to public API endpoints, including login endpoints [Ory Kratos Security](https://www.ory.sh/docs/kratos/concepts/security#defenses-against-brute-force-attacks). 2. For users of Ory Network, these defenses are provided as part of the platform's security infrastructure. However, for self-hosted instances of Ory Kratos Identity Server, it's the responsibility of the administrator to implement and manage rate limiting or other security measures [Ory Kratos Security](https://www.ory.sh/docs/kratos/concepts/security#defenses-against-brute-force-attacks). 3. Ory Network also uses Cloudflare Web Application Firewall (WAF) and Cloudflare Bot Management services to detect bots and throttle suspicious IPs, which helps defend against automated threats without impacting the user experience [Ory Kratos Security](https://www.ory.sh/docs/kratos/concepts/security#defenses-against-bots-and-automated-attacks). While these measures provide protection against brute-force attacks, the documentation doesn't explicitly mention automatic account locking after a specific number of failed attempts. The approach seems to focus more on rate limiting and bot detection rather than account locking. If you need more specific information about account locking policies, you may want to reach out to [Ory Support](https://www.ory.sh/support/) for clarification.