Brute-Force Protection

Brute-force protection, which safeguards against brute-force attacks that occur from a single IP address and target a single user account, is enabled by default for all connections. When triggered, brute-force protection will:

  • Send an email to the affected user.

  • Block the suspicious IP address for the user.

If brute-force protection is triggered, it will be only be removed when:

  • The affected user clicks on the unblock link in the email notification (if configured).

  • The affected user changes their password (on all linked accounts).

  • An administrator removes the block.

In cases where a user's account (email) is linked through multiple connections, such as an OTP account and a database account, and they change their password on only one, the block will not be removed. The user must change their passwords on each account (connection type).

Configure brute-force protection

Auth0 strongly recommends that you do not disable brute-force protection for the connection. If you disable it, you can enable it again using the Dashboard.

Enabling attack protection features without configuring response settings activates Monitoring mode, which records related events in your tenant log only. The tenant log will contain information about whether the login was determined to be risky so you can determine if you want to configure responses. To learn more read View Attack Protection Log Events.

  1. Go to Dashboard > Security > Attack Protection and select Brute-force Protection. Enable the toggle at the top of the page if it is disabled.

    Dashboard Security Attack Protection Brute-force Protection

  2. In the Detection section:

    1. Set the Login Threshold for the number of consecutive failed logins that must occur before triggering a block. The default number of attempts is 10, the minimum number is 1, and the maximum number is 100. In default mode (Account Lockout disabled), the threshold is the number of failed logins by a user identifier from a specific IP address. If you enable Account Lockout mode, the threshold is the number of failed logins from a user identifier irrespective of IP address.

    2. Under IP AllowList, enter the list of trusted IP addresses from which your users can access your resources. You can specify multiple addresses.

  3. In the Response section:

    1. Under Block Settings, enable the Block Brute-force Logins toggle to block attempts from suspicious IP addresses to safeguard against brute-force attacks that occur from a single IP address and target a single user account.

    2. By default, the Account Lockout toggle is disabled. In this mode, if a user attempts to log in from an IP address and consecutively fails above the number you set in the threshold above, future login attempts from that user at that IP address will be blocked. Other users attempting to log in from that IP address will not be blocked. Enable Account Lockout to trigger blocks irrespective of IP address. In this mode, if a user attempts to log in from any IP address and consecutively fails above the number you set in the threshold above, future login attempts from that user from any IP address will be blocked.

    3. Under Notifications, enable the Send notifications to the affected users toggle to send an email notification to the user when their account has been blocked.

  4. Click Save.

Special use cases

Because brute-force protection depends on the IP address of the user, the following use cases require additional configuration:

  • If you use the Resource Owner Password Grant from the backend of the application: Using this call does not get the IP address of the user; however, to make brute-force protection work correctly, you can configure your application and send the IP address of the user as part of the request.

  • If you authenticate a large number of users from the same IP address: Users who are behind a proxy area more likely to reach set limits and trigger brute-force protection.

To learn more, read Avoid Common Issues with Resource Owner Password Flow and Attack Protection.

Learn more