Question posted in 
Is there a way to limit the number of login attempts with Firebase email and password auth? I want to prevent brute force login attempts.
For example, I want the system to add a delay of 5 or 10 min after 5 failed login attempts and either reset with the same timeout or an exponential increase of the timeout for the next 5 attempts.
I looked in the docs and couldn’t find anything.
3
Answers
Well, Firebase Authentication is already pretty good at handling security at a large scale, but it doesn’t directly let you put a cap on login tries or set timeouts after too many failed attempts.
Don’t worry, though! you can add these features yourself with a bit of creativity,
First things first, you’ll need a place to record how many times someone has tried (and failed) to log in. You can use a database like Firestore or Realtime Database for this. Create a record for each user’s email address, and each time they mess up their password, jot it down with a timestamp.
Before you even attempt to log someone in using Firebase Authentication, take a peek at your database.
If they’ve already hit the limit of failed tries, tell them to take a breather and wait before they can try again. You decide how long they wait – it could be a straight 5 minutes or something fancier like doubling the wait time each round.
If someone finally gets their password right, don’t forget to wipe their slate clean. Reset their failed login count back to zero so they can start fresh.
maybe,,, you might write this logic in a Cloud Function.
If you need the correct code, I will support you. I implemented this kind of action in my last project.
You didn’t find anything in the documentation because there is nothing already built in that does that. There is nothing present in the API that you can use to prevent the user from logging in as many times as he wants and increment with 5 minutes at each new failed login attempt. If you want such a mechanism, you have to create it yourself. So you need to write code for that.
The simplest solution I can think of would be to log the date and time of the last login attempt and the total number of attempts. In this way, you’ll be able to know when the user tried to log in the last time. Aside from that, you can enforce this inside your security rules. So each time an attempt fails, log the date and time and always check against it. So in this way, the user will have to wait a specific amount of time until the login option becomes again available.
If you’re talking about a firebase on a website, you can try to track the number of failed login attempts with a variable and then increment it each time a login attempt fails; with a counter and setTimeout.