Hi Morgan,

I believe the solution mentioned by Roeland in that topic is still valid. However you could also try to connect your own logic to the login flow by using the Login Form appstore widget/module.

If you know how to work with javascript/java you can include your own ip locking/blocking mechanism.

I've done a lot of work on enhancing security beyond the basics that Mendix provides for some enterprise clients. I haven't done exactly what you are describing with time, but as an alternative I have a Before Commit event handler that checks a constant for the number of failed attempts and if it exceeds it I deactivate their account so only an Admin can reactivate, and many more history tracking of passwords/character matching/etc. features. This is beyond the 3 failed by default which only blocks for 5 minutes and then allows again. Agree with Mitchel on the java ipblocking mechanism with the widget. Contact me direct if you don't get what you need.

Blocking users for a longer time won't help a lot. Brute force hacking is based on trying Millions of requests in a few minutes or hours. After 3 requests the delay is set to 5 minutes which will results in 10+ years to try a million combinations.

If you increase the 5 minutes to 15 minutes it will go from 10 years to 30 years.

Blocking IPs will only solve a part of the problem because hackers use botnets.

IP-Blocking should be done on webserver level so NGINX or IIS. Tools are available for that purpose.