Brute-Force Protection
Brute-force protection safeguards your tenant against attackers who use a single IP address to target a single user account. By default, Brute-force protection is enabled when you create an Auth0 tenant.
When a given IP address tries and fails multiple times to log in as the same user, brute-force protection:
Blocks the suspicious IP address from logging in as that user.
Sends a notification to the affected user.
Brute-force protection safeguards apply to all users, including tenant administrators. Ensure your tenant has a secondary administrator in order to unblock other administrator accounts.
Block removal events
If an IP address is blocked due to brute-force protection, it remains blocked until one of these events occurs:
An administrator removes the block.
An administrator raises the Brute Force Threshold described below.
Thirty (30) days pass from the last failed login attempt.
The affected user selects the unblock link in the email notification (if configured).
The affected user changes their password (on all linked accounts).
In cases where a user's account (email) is linked through multiple connections, such as an OTP account and a database account, and they change their password on only one, the block will not be removed. The user must change their passwords on each account (connection type).
Brute Force Threshold behavior
Auth0 applies brute-force protection for a given user identifier after that user consecutively fails to authenticate a number of times equal to your configured Brute Force Threshold.
Auth0 applies these protections immediately after we complete the processing of the failed login attempt that meets the threshold.
If you're using an Auth0 SDK that uses asynchronous methods, you may notice that a user identifier can submit more authentication requests successively to your application than your configured Brute Force Threshold.
Although it appears that your threshold is not being enforced, Auth0 immediately applies brute-force protection after we receive and process the request that meets the Brute Force Threshold, and then responds to any subsequent requests from the given user identifier with an HTTP 429 too_many_attempts error.
Configure brute-force protection
Auth0 strongly recommends that you do not disable brute-force protection for the connection. If you disable it, you can enable it again using the Dashboard.
Enabling attack protection features without any response settings enabled activates Monitoring mode, which records related events in your tenant log only. To learn more, read View Attack Protection Log Events.
Go to Dashboard > Security > Attack Protection and select Brute-force Protection. Enable the toggle at the top of the page if it is disabled.
In the Detection section:
Under Brute Force Threshold, select Default to set the attempts threshold to 10 or select Custom to set the attempts threshold to a value between 1 and 100.
Under Manage IP Addresses, enter the list of trusted IP addresses in the IP AllowList field. Brute-force protection will not be enforced for login attempts originating from these IP addresses.
In the Response section:
Under Block Settings, enable the Block Brute-force Logins toggle to block attempts from suspicious IP addresses to safeguard against brute-force attacks that occur from a single IP address and target a single user identifier.
Under Block Settings, enable Account Lockout to trigger blocks irrespective of IP address. When this setting is enabled and a user consecutively attempts and fails to login, future attempts to log in from that user identifier from any IP address will be blocked. You can adjust maximum attempts under Brute Force Threshold. By default, the Account Lockout toggle is disabled.
Under Notifications, enable the Send notifications to the affected users toggle to send an email notification to the user when their account has been blocked.
Click Save.
Notifications
If Send notifications to the affected users is enabled, Auth0 sends an SMS or email notification to a user when their account has been blocked.
SMS
Auth0 sends an SMS to the user if they use a phone identifier in the login flow. SMS notifications are limited at a maximum of 1 per hour per identifier.
Auth0 sends an email to the user if they use a non-phone identifier in the login flow. Email notifications are limited at a maximum of 1 per hour per unique IP address.
By default, email notifications contain a link that allows the user to unblock their account. To learn more, read Customize Blocked Account Emails.
Special use cases
Because brute-force protection depends on the IP address of the user, the following use cases require additional configuration.
Resource Owner Password (ROP) flow
To ensure brute-force protection works correctly when using the ROP flow, you must configure your application to include the user’s IP address in requests using the auth0-forwarded-for header.
To learn more, read Avoid Common Issues with Resource Owner Password Flow and Attack Protection.
Proxies and shared IP addresses
Users behind a proxy are more likely to reach set limits and trigger brute-force protection.
Use the IP AllowList feature to exempt a specific IP address or CIDR range from triggering brute-force protection.