MOCKUP #1 - NOT TELLING THE USER WHICH FIELD HAD WRONG ENTRY, BUT STATING THAT THE USER WILL BE LOCKED OUT OF THEIR ACCOUNT AFTER 10 FAILED LOGIN ATTEMPTS
This scenario shows a server-side response that the email/username and password combination is incorrect.
This scenario shows a server-side response that the email/username and password combination is incorrect.
NOTES:
- This is the most "secure" approach: There's a specific reason some sites do not say which field is "wrong"—If a hacker knows the email/username is present in the database, then they already have a victim and just need to focus on a password. While, with just a warning that something is wrong, the hacker won't even know if the user exists.
- TO CHECK WITH IDM TEAM IF POSSIBLE: Both the "Email or Username" and "Password" input field borders should be styled with
style="border-color: #a94442;". - TO CHECK WITH IDM TEAM IF POSSIBLE: Even though the logic will be 10 failed login attempts before being locked out, the bottom part of the message will not show until the user only has 5 more failed login attempts.
So, for failed login attempts 1, 2, 3, 4, and 5, the user will see this alert:Then, for failed login attempts 6, 7, 8, and 9, the user will see this alert:Your email/username or password is incorrect. Please check your login and try again. If you are stuck, you can also look up your account.Your email/username or password is incorrect. Please check your login and try again. If you are stuck, you can also look up your account.
For security reasons, after 5 more failed login attempts you'll have to wait 60 minutes before trying again.
Log In or Create an Account
Your email/username or password is incorrect. Please check your login and try again. If you are stuck, you can also look up your account.
For security reasons, after 5 more failed login attempts you'll have to wait 60 minutes before trying again.
For security reasons, after 5 more failed login attempts you'll have to wait 60 minutes before trying again.
MOCKUP #2 - ALERTING THE USER THAT THEY HAVE BEEN LOCKED OUT OF THEIR ACCOUNT DUE TO 10 FAILED LOGIN ATTEMPTS
This scenario shows a server-side response that the user has locked themselves out of their account after 10 failed login attempts (whether that was due to wrong email/username or password entry).
This scenario shows a server-side response that the user has locked themselves out of their account after 10 failed login attempts (whether that was due to wrong email/username or password entry).
NOTES:
- TO CHECK WITH IDM TEAM IF POSSIBLE: The countdown should start at 60 minutes, and count down after each elapsed minute (59, 58, ...).
- TO CHECK WITH IDM TEAM IF POSSIBLE: When the alert is triggered, both the "Email or Username" and "Password" input field borders should be styled with
style="border-color: #a94442;"and thedisabledattribute should be added to each of the input fields in this scenario. - TO CHECK WITH IDM TEAM IF POSSIBLE: After 60 minutes have passed since the 10th failed login attempt, this alert would go away and the login screen would be enabled again.
- TO CHECK WITH GURVINDER: Even if the user enters the correct email/username and password combination on the 11th try, this alert should still be shown and the input fields should be disabled.
- TO CHECK WITH GURVINDER: All IP traffic should be allowed through, so in that case, this alert should not be shown and the fields should remain enabled.
Log In or Create an Account
For security reasons, you have been locked out of your account due to 10 failed login attempts.
You'll have to wait 60 minutes before trying again.
You'll have to wait 60 minutes before trying again.