Brute-Force Protection Triggers and Actions
10 failed login attempts
This trigger occurs when there are 10 failed login attempts into a single account from the same IP address.
- Send an email to the affected user. (You can customize the email.)
- Block the suspicious IP address for that user.
If this block is triggered, it can be cleared the following ways:
- An administrator removes the block via the Dashboard (by clicking unblock for all IPs under the ACTIONS button when viewing the user's details) or by using the Management API.
- The user clicks on the unblock link provided in the email sent when the block went into effect.
- The user changes their password.
100 failed login attempts or 50 sign up attempts
A trigger occurs when there are 100 failed login attempts from one IP address using different usernames with incorrect passwords in 24 hours.
Another trigger occurs if there are 50 sign up attempts per minute from the same IP address.
- Notify dashboard administrator(s).
- Block suspicious addresses for 15 minutes.
If this block is triggered, additional access attempts are released one-at-a-time over the course of 24 hours until 100 attempts are allocated. This results in approximately 1 additional attempt every 15 minutes.
Auth0 emails the dashboard administrator(s) when this block is triggered. The email contains a link that the owner can click to navigate to tenant logs to examine which IPs have been blocked. Recent blocks can be found using this query:
Blocks can then be removed using the Management API.