Hi Ory team, I was wondering if future releases of your solutions will include a feature to handle incorrect password attempts. For instance, temporarily blocking further attempts after several failed ones, with a cooldown period before retrying. Thank you in advance for your response!

Hello @orange-bird-36704 Is this question related to a problem that you want to solve? For commercial use cases Ory offers several solutions that solve this. Ory Network for example uses Cloudflare to solve this issue! In any case see this comment on GitHub: https://github.com/ory/kratos/issues/3037#issuecomment-2659992497

… what most of you want needs to be solved in a WAF such as Cloudflare or Akamai to be scalable, reliable and so on.

I think the original ask (locking an account and/or throttling an account‘s login attempts) could be solved in Ory Kratos but making it scalable and concurrency safe (not vulnerable to race conditions/concurrency) has proven really challenging in practice in Ory Network.

In the end most of you will end up with custom WAF rules that constantly evolve as your attackers get more sophisticated. Cramming this logic into Kratos will increase the project‘s complexity while solving a problem that‘s really outside of this project’s domain.

There‘s a PR/issue to add a failed login webhook which I think could be what you all want here - you could implement any logic (eg disabling the account) in the webhook handler. I think that can address the account lock out mentioned in the OP. For login rate limiting the implementation with the webhook will be a bit more complex but overall possible IMO.