Add Account Locked out after too many Login Attempts

[bharney]

• When the user tried too many times to login to an account, lock it for a few minutes.

[ghost]

What are your initial thoughts on this feature?

I implemented a "user action collection" or table in my starter for this very reason. One problem I can see with this approach is as the table grows the query time will increase. Anything older than a week shouldn't really matter for current logins, but it would be useful to have a record that isn't directly queriable for other various reason, for instance geolocation, IP, device, or different browser logins alerts.

It is possible to implement a SQL job in entity framework that moves anything older than a week into an archive table of sorts? What should the lockout time frame be? And if there is an active user season i.e ("someone is trying to hijack this account") should all existing user sessions be eliminated?