Brute-force protection, which safeguards against brute-force attacks that occur from a single IP address and target a single user account, is enabled by default for all connections.
When triggered, brute-force protection will:
Send an email to the affected user. (You can customize the email.)
Block the suspicious IP address for the user.
In default mode (Account Lockout disabled), if a user attempts to log in from an IP address and consecutively fails 10 times, future login attempts for the user at that IP address will be blocked. Other users attempting to log in from that IP address will not be blocked.
When you enable Account Lockout, if a user attempts to log in and consecutively fails 10 times (from any IP address), future login attempts for the user at any IP address will be blocked.
If brute-force protection is triggered, it will be only be removed when:
The affected user clicks on the unblock link in the email notification (if configured).
The affected user changes their password.
An administrator removes the block.
Configure brute-force protection
Brute-force protection is enabled by default for all connections. Auth0 strongly recommends that you do not disable brute-force protection for the connection; however, you can both disable and enable it using the Dashboard.
Go to Auth0 Dashboard > Security > Attack Protection, and select Brute-force Protection.
Enable the switch at the top of the page if it is disabled.
Under Response, click the down arrow next to Block users and IP AllowList.
Enable the Block Brute Force Logins switch to block attempts from suspicious IP addresses. This response safeguards against brute-force attacks that occur from a single IP address and target a single user account.
Enable the Send notifications to the affected user switch to send an email notification to the user when their account has been blocked.
Enable Account Lockout to trigger brute-force protections irrespective of IP address.
Under IP AllowList, you can create a list of trusted IP addresses from which your users can always access your resources.
Because brute-force protection depends on the IP address of the user, the following use cases require additional configuration:
Using the Resource Owner Password Grant from the backend of the application: Using this call does not get the IP address of the user; however, to make brute-force protection work correctly, you can configure your application and send the IP address of the user as part of the request.
Authenticating a large number of users from the same IP address: Users who are behind a proxy area more likely to reach set limits and trigger brute-force protection.