Rate Limiting.
Bounding the number of authentication attempts per identifier, IP, or other key per time window — the primary defense against credential-stuffing and brute-force attacks on login endpoints.
Per-user rate limiting alone is what credential stuffing defeats — the attacker spreads attempts across thousands of accounts, hitting the per-IP rate at much higher absolute volumes than any single account's failed-login threshold. The defense requires composite limits (per-IP + per-IP-range + per-ASN + per-geo + per-device fingerprint) at the edge plus per-account anomaly scoring deeper in the stack.
Common questions
What's the right failed-login threshold?
How do I rate-limit without locking out legitimate users?
Should rate limiting be per-user or per-IP?
Related terms
In the guides
Account Takeover Defense: A Layered Approach for 2026
ATO is the single largest CIAM threat in 2026. The defense stack is layered, credential stuffing protection, MFA, session management, and recovery design, each addressing a different attack class.
Bot Defense and Fraud Detection for Authentication Endpoints
Credential-stuffing bots, account-creation bots, scrapers, MFA-fatigue bots — the modern auth endpoint faces continuous automated attack. The defenses that hold and the ones that don't.
DDoS and Rate-Limiting for Authentication Endpoints
Login endpoints are the highest-leverage target for volumetric attacks — small request size, large server cost, identity-system disruption. The composite defense pattern that scales.