Account lockout is a control that temporarily or conditionally blocks further sign-in attempts after repeated failed authentication attempts.
Account lockout is a control that temporarily or conditionally blocks further sign-in attempts after repeated failed authentication attempts. In plain language, it slows or stops repeated guessing by refusing to keep accepting endless login tries.
Account lockout matters because many attacks rely on repetition. If a system allows unlimited failed sign-ins without consequence, password guessing and abuse become easier.
It also matters because the control must be designed carefully. A weak lockout policy can fail to slow attackers, while an overly aggressive one can disrupt legitimate users or be abused for denial-of-service against accounts.
Account lockout appears in login systems, Identity Provider policy, privileged access controls, and Conditional Access programs. Teams connect it to Authentication, Multi-Factor Authentication, Rate Limiting, and Phishing-Resistant Authentication.
It is one of the simpler controls that still needs operational judgment to work well.
A user account is temporarily blocked from further login attempts after multiple failed sign-ins from an unfamiliar source. The security team reviews whether the failures look like ordinary mistyped passwords or suspicious repeated guessing.
Account lockout is not the same as Multi-Factor Authentication. MFA adds stronger identity proof, while lockout helps control repeated failure patterns.
It is also related to Rate Limiting, but account lockout is specifically focused on authentication attempts and account state rather than general request volume.