Brute-Force Protection

Brute-force protection safeguards against a single IP address attacking a single user account. When the same IP address tries and fails multiple times to log in as the same user, brute-force protection:

  • Sends email to the affected user.

  • Blocks the suspicious IP address from logging in as that user.

If an IP address is blocked due to brute-force protection, it remains blocked until one of these events occurs:

  • The affected user selects the unblock link in the email notification (if configured).

  • The affected user changes their password (on all linked accounts).

  • An administrator removes the block.

  • An administrator raises the Login Threshold described below.

In cases where a user's account (email) is linked through multiple connections, such as an OTP account and a database account, and they change their password on only one, the block will not be removed. The user must change their passwords on each account (connection type).

Configure brute-force protection

Auth0 strongly recommends that you do not disable brute-force protection for the connection. If you disable it, you can enable it again using the Dashboard.

Enabling attack protection features without any response settings enabled activates Monitoring mode, which records related events in your tenant log only. To learn more, read View Attack Protection Log Events.

  1. Go to Dashboard > Security > Attack Protection and select Brute-force Protection. Enable the toggle at the top of the page if it is disabled.

    Dashboard Security Attack Protection Brute-force Protection

  2. In the Detection section:

    1. In Maximum Attempts, set the number of consecutive, failed login attempts that trigger a block. The default number of attempts is 10, the minimum is 1, and the maximum is 100. Changing this setting does not restart Auth0’s count of login attempts. Increasing the number raises the threshold, and so can unblock users who were previously blocked. Decreasing the number lowers the threshold, and so can block users. In default mode (Account Lockout disabled), the threshold is the number of failed logins by a user identifier from a specific IP address. If you enable Account Lockout mode, the threshold is the number of failed logins from a user identifier irrespective of IP address.

    2. Under IP AllowList, enter the list of trusted IP addresses from which your users can access your resources. You can specify multiple addresses.

  3. In the Response section:

    1. Under Block Settings, enable the Block Brute-force Logins toggle to block attempts from suspicious IP addresses to safeguard against brute-force attacks that occur from a single IP address and target a single user account.

    2. By default, the Account Lockout toggle is disabled. In this mode, if a user attempts to log in from an IP address and consecutively fails above the number you set in the threshold above, future login attempts from that user at that IP address will be blocked. Other users attempting to log in from that IP address will not be blocked. Enable Account Lockout to trigger blocks irrespective of IP address. In this mode, if a user attempts to log in from any IP address and consecutively fails above the number you set in the threshold above, future login attempts from that user from any IP address will be blocked.

    3. Under Notifications, enable the Send notifications to the affected users toggle to send an email notification to the user when their account has been blocked.

  4. Click Save.

Special use cases

Because brute-force protection depends on the IP address of the user, the following use cases require additional configuration:

  • If you use the Resource Owner Password Grant from the backend of the application: Using this call does not get the IP address of the user; however, to make brute-force protection work correctly, you can configure your application and send the IP address of the user as part of the request.

  • If you authenticate a large number of users from the same IP address: Users who are behind a proxy area more likely to reach set limits and trigger brute-force protection.

To learn more, read Avoid Common Issues with Resource Owner Password Flow and Attack Protection.

Learn more