Anomaly Detection

Auth0 provides built-in tools to detect anomalies and stop malicious attempts to access your application. Anomaly detection can alert you and your users of suspicious activity, as well as block further login attempts. You can set your preferences on the notifications that get sent and you can decide whether to block a suspicious IP address or not.

What Anomaly Detection Provides

Currently Auth0 has three types of shields you can enable to handle anomalies and attacks. A shield specifies the action you wish to take given a specific trigger.

A trigger is a suspicious event that is detected when someone is trying to login to your system, or there may have been a breached password with another 3rd party service.


Brute-Force Protection

There are two different triggers for the brute-force protection shield, for two slightly different attack scenarios.

Trigger: 10 failed login attempts into a single account from the same IP address.


  • Send an email to the affected user (The email can be customized)
  • Block the suspicious IP address


The way this anomaly protection works is that if user with "user_id1" signs in from IP1 and fails to login consecutively for 10 attempts their login from this IP - IP1 will be blocked. Another user, say "user_id2" signing in from the same IP (IP1) will not be blocked. The mechanism to clear this block is described below.

Currently the default trigger amount of 10 cannot be changed.

If this block is triggered, it can be cleared the following ways:

  • An administrator removes the block via the Dashboard (by clicking unblock for all IPs under the ACTIONS button when viewing the user's details) or by using the Management API ;
  • The User clicks on the "unblock" link provided in the email sent when the block went into effect;
  • The User changes their password.

Trigger: 100 failed login attempts from a single IP address using different usernames, all with incorrect passwords in 24 hours. Or 50 sign ups attempts per minute from the same IP address.


  • Notify dashboard administrator(s)
  • Block suspicious addresses

If this block is triggered, additional access attempts are released one at a time over the course of 24 hours until 100 attempts are allocated. More specifically, you will gain 100 attempts / 24 hours * 60 minutes = approximately 1 additional attempt every 15 minutes.

Auth0 does email the dashboard administrator(s) when this block is triggered. Within this email there's a link the owner can click on to remove the block.

Enable or Disable Brute Force Protection

By default, brute force protection is enabled for all connections.

Each connection has a flag called brute_force_protection that you can use to disable brute force protection. If this flag is set to true, then brute force protection is enabled even if general brute force protection is enabled.

We do not recommend setting the brute_force_protection flag to false (effectively disabling brute force protection for the connection), but if you do, you will be able to change this in the Dashboard. There will be a Improve brute force protection toggle under Connection Settings that changes the flag from false to true.

Restrictions Regarding Brute-Force Protection

Both of these anomaly types depend on the IP address of the user. Because of this, the following use cases are not supported:

  1. Using the Resource Owner from the backend of the application. Using this call does not get the IP address of the user. See point 2 below as an alternative.
  2. Using Resource Owner Password Grant from the backend of the application. Using this call does not get the IP address of the user, however, you can configure your application and send the IP address of the user as part of the request to make brute-force protection work correctly.
  3. Authenticating many users from the same IP address. For example, users that are behind a proxy are more likely to reach these limits and trigger the associated protection. It is possible to configure a whitelist for the proxy's IP and CIDR range and avoid erroneously triggering the protection.

Breached Password Detection

Every day malicious hackers penetrate websites and applications, exposing thousands of email and passwords. Given that it's quite common for users to use the same password to login to multiples sites, this poses a problem, not only for the hacked system, but to any application that shares those credentials.

Auth0 tracks large security breaches that are happening on major third party sites to help keep your users and system secure. By enabling Breached Password Detection, your users can be notified and/or blocked from logging in if we suspect their credentials were part of a published security breach.

Trigger: Auth0 suspects that a specific user's credentials were included in a major public security breach.


  • Send an email to the affected user
  • Send an email to dashboard owners immediately, and/or have a daily/weekly/monthly summary
  • Block login attempts for suspected user accounts using that username and password combination

This block remains in place until the user changes their password.

Set your anomaly detection preferences

To customize the actions that get taken from the triggers, go to the Anomaly Detection section on the dashboard.

You can use the toggle to disable all the actions of a certain shield. Or to enable/disable certain actions, click on the shield that has the action in it that you wish to change.

Then you can use the toggle to enable/disable an action.

We do not recommend making changes to your anomaly detection features via the Management API.

Brute-force Protection

Here you can also add any IP addresses to the Whitelist field to avoid erroneously triggering the protection.

Click Save when you have finished.

Breached-password Detection

Click Save when you have finished.

Customize the Blocked Account Email

When Auth0 sends an email to a user to notify them of the block, the message contains a link to re-enable the origin of the request. Notice that Auth0 never blocks the user itself, just the attempts from the suspicious origin.

The email sent to the user looks like this:

Email Example

The template used for this message can be customized on the Dashboard under Emails > Templates > Blocked Account Email.

Learn more about Customizing your Emails


  1. Is the user notified at every login?

We send one email every hour, regardless of the number of logins. For example, if a user tries to log in 200 times in 1 hour and 30 minutes, we will send two emails.

  1. Is there a limit to the number of times a user will be notified?

Users will only be notified once per hour.

  1. How long is the reset password link, included in the breached password email, valid for?

Password reset links are valid for five days.

  1. Is there a test dataset of breached passwords?

You can test with as the email and Paaf213XXYYZZ as the password.

  1. Does the breached password detection work when logging in using the Resource Owner password grant?


  1. Does the breached password detection feature work with a custom database?


  1. What Redirect URL applies to the Change password link included in the breached password notification email?

The RedirectTo URL is the URL listed in the Dashboard in Emails > Templates > Change Password Template.

  1. Is there a way to configure the Redirect URL and length of time the change password link is valid?

You can configure the URL Lifetime and Redirect To values in the Dashboard by going to Emails > Templates > Change Password Template.