Implement Account Lockout Feature
As the name suggests, account lockout feature bars access to the account. The access may be denied for a fixed time or until it is restored. Many ways are available for restoration. Entering a onetime password, access restore from the backend, and CAPTCHA test are some of the ways. Having an account lockout feature adds to security. It protects from certain malicious activities. Let’s have an example to understand how an attacker may gain access to a mobile application if the lockout feature is not implemented.
A mobile application does not restrict the number of login attempts. An attacker does not have valid credentials but wants access. He writes a program that would enter all the possible combinations of username and password one by one. Upon executing the program, the malware enters valid credentials. This way, the attacker gains access and deletes critical user data.
The solution is to put a restriction on the number of login attempts. In case a user does not enter valid credentials despite using all attempts, access to the account shall be barred. The user could be asked to authenticate himself/herself differently. That could be sending a password reset link, a onetime password, or through contacting support.