--- title: Configuring account lockout protection description: Use PingFederate's functionality to customize your account lockout protection settings. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_config_account_lockout_protect canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_account_lockout_protect.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: steps: Steps related-links: Related links --- # Configuring account lockout protection Use PingFederate's functionality to customize your account lockout protection settings. ## Steps 1. Edit the `com.pingidentity.common.security.AccountLockingService.xml` file, located in the `/pingfederate/server/default/data/config-store` directory. The following table provides more information about properties in the `com.pingidentity.common.security.AccountLockingService.xml` file. | Property | Description | | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | MaxConsecutiveFailures | The maximum number of failed attempts before a user is locked out for a time period.The default value is `3`. The per-instance setting in the HTML Form Adapter and the Username Token Processor overrides this property. | | LockoutPeriod | The amount of time in minutes that a user is locked out when the `MaxConsecutiveFailures` threshold is reached.The default value is `1` minute. | | `UseIPForLockout` | Whether lockout decisions consider the user's IP address.`true` uses a combination of username and IP address to determine whether to lock a user account.`false` uses only the username to determine whether to lock a user account. Requests with the same usernames from different IP addresses are considered together.The default value is `true`. Disabling this parameter can prevent malicious actors from bypassing lockouts by masking their IP address, but can also make it easier for malicious actors to intentionally lock an account. | If you have a PingFederate clustered environment, edit this file on the console node. 2. Save the change. 3. Restart PingFederate. 4. If you have a PingFederate clustered environment, click **Replicate Configuration** in **System > Server > Cluster Management**. ## Related links * [Configuring an HTML Form Adapter instance](pf_config_html_form_adapt_instance.html) * [Configuring a Username Token Processor instance](pf_config_username_token_processor_instance.html)