Brute-force lockout escalation

How repeated failed logins escalate to a lockout

Independent of Caddy rate limit

The lockout is per identifier. The Caddy rate limit is per IP. Both fire independently. A distributed attack across many IPs hits the SDK lockout; a single-IP burst hits Caddy first.

Manual unlock

Admins can unlock via Athena → Locked Accounts. See Operate, Locked account unlock.

Where to learn more

Security, Brute-force protection
Security, Account lockout
Cookbook, Test brute-force locally

MFA step-up to AAL2

Escalating session AAL for sensitive operations

Athena → Kratos admin

Internal admin API call chain

Brute-force lockout escalation

Independent of Caddy rate limit

Manual unlock

Where to learn more

On this page