Hi David,
If you look in the console (I am assuming you are running locally), you should see a message that the user is blocked for a period of time after 3 bad login attempts. Mendix doesn’t communicate this info via the UI, b/c that would give the user more information than necessary and perhaps help with hacking attempts. If you look at a user account via the user interface after 3 failed login attempts, you’ll see that the user is blocked (this is an attribute on the user/account entity).
Hope that helps,
Mike
**EDIT**
I just tried this on a free app. With the live log open, I tried to login with the wrong password. Here is what the log showed:
Here is what I saw in the UI:
One note: the account doesn’t stay blocked for more than a few minutes. So if you don’t login right away (with a different account), it will not show as blocked.
Another note: the user never sees a message that he is blocked, only that he entered an invalid username and password
If you don’t see similar behavior, I would file a ticket with Mendix.
Filed a request with Mendix support. This issue is fixed from Mendix Studio Pro version 8.8. onwards. So updated Mendix Studio Pro version to 8.10 and now users do get blocked after 3 bad login attempts. This greatly improves security! Thanks Mendix and Mike for helping to find the solution!
Mendix support stated:
Starting with Mendix 8.0, users aren't blocked by default when entering an incorrect password. From https://docs.mendix.com/refguide/login-behavior
This was a known issue and was fixed in 8.8 https://docs.mendix.com/releasenotes/studio-pro/8.8
"We now block users after three failed logins in a Mendix Cloud node environment if the app project security is set to Production. (Ticket 95292)"