How Account Lockout and Password Reset Works

Source: autosoft-workshop/app/controllers/sessions_controller.rb, users_controller.rb

Account locks after max_login_attempts failed attempts, with a warning displayed at the halfway mark (e.g., warning at 5 if max is 10)
Lockout auto-clears after CONFIG["time_locked_out"] hours — no admin intervention needed, user just has to wait
Mobile-only users cannot log in to the website, and website-only users cannot log in to the mobile app — access type is enforced at login
If the company itself is deactivated, ALL users are blocked from logging in regardless of their individual status
On successful login, all previous sessions for that user are destroyed — Workshop enforces single active session per user
Password reset response always returns the same generic message regardless of whether the email exists — this prevents email enumeration attacks
Password reset reactivates locked and blocked users as a side effect — this is a known security concern where a locked-out user can bypass the lockout via password reset
Password change (from within the app) requires the correct old password to be supplied
Password reset tokens have a configurable expiration — expired tokens return a generic error

"I'm locked out of my account" → too many failed attempts; either wait for auto-unlock or use password reset (which also unlocks)
"My employee can log in on mobile but not on the website" → user is set to mobile-only access
"Nobody in our company can log in" → company may be deactivated
"I got logged out on my other device when I logged in here" → single session enforcement destroys previous sessions
"Password reset says 'email sent' but I never got it" → same message shows regardless of whether the email exists in the system
"Locked user got back in without admin help" → password reset reactivates locked/blocked users automatically