How many incorrect attempts should be allowed before invalidating a password?

I am trying to prevent brute force attacks on a user's account by invalidating a password when too many attempts are made in the same minute, hour, day or something similar. The credentials in this scenario are for company employees on the road, and are used on an Android app.

At the same time, I do not want the user to have their password needlessly invalidated because they made a few mistakes.

How many attempts are enough? Or, alternatively, how do I determine how many are enough?

Asking in another way, what is the maximum number of mistakes a human should be allowed to make before contacting the helpdesk?

Edit: The authentication mechanism is done through the network. The app gets updated information from a company server after the user logs in successfully.

Tags: an event apart, smashing, speckyboy, UX Interview, ux stack, UX Stack Exchange, UXBooth

How many incorrect attempts should be allowed before invalidating a password?

UX in 2018: The human element

Three Takeaways from the Hawai’i Missile False Alarm

UX in 2018: Content

UX in 2018: Design, Development, and Accessibility

The Power and Danger of Persuasive Design

How many incorrect attempts should be allowed before invalidating a password?

Related Posts