diff --git a/app/models/user.rb b/app/models/user.rb
index d37130c19..a960e22b4 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -2,7 +2,7 @@ class User < ApplicationRecord
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :recoverable, :rememberable, :validatable,
-         :trackable
+         :trackable, :lockable
 
   belongs_to :organisation
   has_many :owned_case_logs, through: :organisation
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index d377aacd0..4d43e7f3b 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -195,27 +195,27 @@ Devise.setup do |config|
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [:email]
+  config.unlock_keys = [:email]
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :time
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 5
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
-  # config.unlock_in = 1.hour
+  config.unlock_in = 1.hour
 
   # Warn on the last attempt before the account is locked.
-  # config.last_attempt_warning = true
+  config.last_attempt_warning = true
 
   # ==> Configuration for :recoverable
   #
diff --git a/db/migrate/20220308164721_add_lockable_fields.rb b/db/migrate/20220308164721_add_lockable_fields.rb
new file mode 100644
index 000000000..89316018e
--- /dev/null
+++ b/db/migrate/20220308164721_add_lockable_fields.rb
@@ -0,0 +1,10 @@
+class AddLockableFields < ActiveRecord::Migration[7.0]
+  def change
+    change_table :users, bulk: true do |t|
+      t.column :failed_attempts, :integer, default: 0
+      t.column :unlock_token, :string
+      t.column :locked_at, :datetime
+    end
+    add_index :users, :unlock_token, unique: true
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index dbebd8bcc..0243ebae1 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -268,9 +268,13 @@ ActiveRecord::Schema[7.0].define(version: 202202071123100) do
     t.integer "role"
     t.string "old_user_id"
     t.string "phone"
+    t.integer "failed_attempts", default: 0
+    t.string "unlock_token"
+    t.datetime "locked_at", precision: nil
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["organisation_id"], name: "index_users_on_organisation_id"
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
+    t.index ["unlock_token"], name: "index_users_on_unlock_token", unique: true
   end
 
   create_table "versions", force: :cascade do |t|