Thus, please consider introducing the ability to lock an account after X number of failed attempts so that it can only be unlock by an administrator (please also have the option to setup notification email to alert someone about the account lockout). |
There is an account lock setting that exists already, but I would like to second the suggestion that an option to send email notification alerts to someone should be added. At the very least, the error message that displays for the user once an account is locked out should change so that it indicates that the account is locked out. Right now it continues to display the message that the username or password is incorrect, even after the user has gone through the process of changing their password. I have gotten a number or complaints that would've been resolved my an error message saying something along the lines of "Your account has been locked. Please try again in 30 minutes."