Four is bcrypt's minimum cost (work factor), built into the algorithm itself by the original authors (Provos and Mazières) in 1999.

The original/reference implementation is OpenBSD's, which forces the cost to 4 if a cost less than 4 is requested.

The original selection of 4 was likely because a goal Provos' local testing during development was for hashing to be sufficiently slow, but not "too" slow (this is a reply to my question from Provos himself).

So while could compile a local version of the code yourself and override this minimum, I do not recommend it (for anything other that for curiosity / testing purposes). bcrypt cost 4 is much too slow on modern CPUs (compared to 25 years ago!). I would consider cost 10 to be the minimum today for secure production use, and cost 12 if you can get away with it.

Four is bcrypt's minimum cost (work factor), built into the algorithm itself by the original authors (Provos and Mazières) in 1999.

The original/reference implementation is OpenBSD's, which forces the cost to 4 if a cost less than 4 is requested.

The original selection of 4 was likely because a goal of Provos' local testing during development was for hashing to be sufficiently slow, but not "too" slow (this is a reply to my question, from Provos himself).

So while you could compile a local version of the code yourself and override this minimum, I do not recommend it (for anything other that for curiosity / testing purposes). In fact, even bcrypt cost 4 is much too slow on modern CPUs (compared to 25 years ago!). I would consider cost 10 to be the minimum today for secure production use, and cost 12 if you can get away with it.