--- title: Lockout Policy description: This page explains how the lockout policy works, the implications for users, and how it is configured. component: recognize page_id: recognize:mobile-sdk:mobile-sdk-lockout-policy canonical_url: https://docs.pingidentity.com/recognize/mobile-sdk/mobile-sdk-lockout-policy.html llms_txt: https://docs.pingidentity.com/recognize/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: April 20, 2026 section_ids: v5-0-0-and-above: v5.0.0 and Above v4-8-2-and-below: v4.8.2 and Below lockout-options-and-defaults: Lockout Options and Defaults how-it-works: How It Works when-the-lockout-policy-applies: When the Lockout Policy Applies if-a-user-is-locked-out: If a User Is Locked Out --- # Lockout Policy ## v5.0.0 and Above From SDK version 5.0.0 onward, the lockout policy is configured on the server side and errors count towards the policy regardless of whether they occur on the client or server side. If you have questions or want to request policy changes, contact the PingOne Recognize team. ## v4.8.2 and Below PingOne Recognize has both client-side (specific device) and server-side (all users/devices) lockout policies to help prevent brute-force attacks. Client-side lockout is configurable in the SDK and determines how many failed login attempts (`lockoutAttemptsThreshold`) are allowed over a set time period (`lockoutAttemptsResetAfter`) before the user is locked out for `lockoutDuration` on that device. `lockoutDuration` must be greater than or equal to `lockoutAttemptsResetAfter` so it is not reset by `lockoutAttemptsResetAfter`. ```text lockoutDuration: Long, // seconds - default 300 lockoutAttemptsResetAfter: Long, // seconds - default 180 lockoutAttemptsThreshold: Int // number - default 5 ``` Server-side lockout works similarly, except it applies to all authentication devices for a specific user and is configured to lock a user out for 10 minutes after 5 failed attempts. A successful login resets the failed-attempt count to zero. ## Lockout Options and Defaults When a user exceeds a maximum number of failed attempts within a specified time window, they are locked out for the defined suspension period. This behavior is controlled by three settings: | Lockout configuration | Description | Defaults (SaaS customers) | | --------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------- | | Max failed attempts | How many failed authentications a user is allowed before being locked out for the defined suspension period. | 5 | | Time window | The period in which failed authentication attempts are counted. Any successful authentication resets this count to zero. | 600 (10 minutes) | | Suspension period | How long the account is suspended when max failed attempts are exceeded during the time window (in seconds). | 600 (10 minutes) | ## How It Works * The policy is applied per PingOne Recognize instance, **per PingOne Recognize ID** (single user). * If you use component interoperability (users authenticating on both Web and Mobile), errors and lockouts apply to both Web and Mobile. * Failed authentications are counted across the configured time window. Any successful authentication before reaching threshold resets failed attempts to zero. * The lockout policy cannot be disabled. For less restrictive behavior, increase max failed attempts and/or reduce time-window sensitivity. * To change settings, contact a PingOne Recognize team member or `support@keyless.io`. ## When the Lockout Policy Applies * Lockout policy applies to **Authentication** flows, not enrollment flows. * From SDK v5.3.x and above, lockout policy also applies to Account Recovery using [Enroll from Client State](mobile-sdk-account-recovery.html). * For enrollment failures, lockout cannot be applied because no PingOne Recognize ID is generated. ## If a User Is Locked Out * Any authentication attempt for that PingOne Recognize ID returns `30007` (`User Lockout`). * Users must wait for lockout duration to expire; there is no bypass. * If a user attempts authentication while locked out, the time window does not reset. * During lockout, biometric authentication is not attempted and circuits are not consumed.