Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0-fix-auth-api-docs-migration-completion.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Brute-force protection determines how Auth0 responds to multiple failed attempts to log into a user account from a single IP address. You can configure brute-force protection to:
  • Block the originating IP address from logging in as that user
  • Prevent all login attempts for that user
  • Notify the user via email or SMS
By default, brute-force protection is enabled when you create an Auth0 tenant. Brute-force protection applies to all users, including tenant administrators. We strongly recommend keeping brute-force protection enabled for your connections and having a secondary tenant administrator in order to unblock other administrator accounts.

Configure brute-force protection

You can enable, customize, and disable brute-force protection from Dashboard > Security > Attack Protection > Brute-force Protection, which has the following settings:
  • The toggle at the top of the page enables and disables brute-force protection. The current state is shown in the Enabled / Disabled status indicator.
  • The Detection section contains the brute force threshold and the IP AllowList settings.
  • The Response section contains block settings and notifications settings.
If you enable brute-force protection but disable all response settings, the status indicator changes to Monitoring and Auth0 records attack protection events in your tenant log but takes no further action.
To ensure brute-force protection works when using the Resource Owner Password (ROP) flow, you must configure your application to send the user’s IP address using the auth0-forwarded-for header.

Brute force threshold

The brute force threshold is the number of incorrect login attempts allowed from a single IP address to a single user identifier before triggering brute-force protection. There are two options:
  • Default sets the brute force threshold to 10.
  • Custom lets you set the brute force threshold to a value between 1 and 100.
Immediately after we complete processing the failed login attempt that meets your specified brute force threshold, we apply the attack mitigation protections you have selected. When using an Auth0 SDK with asynchronous methods, a user identifier can submit more authentication requests successively to your application than your configured brute force threshold. However, once a request meets the brute force threshold, we respond to subsequent requests from the given user identifier with an HTTP 429 too_many_attempts error.

IP AllowList

The IP AllowList is a comma-separated list of IPv4 or IPv6 addresses or ranges in CIDR notation. Login attempts originating from IP addresses on the IP AllowList are exempt from brute-force protection. You can use the IP AllowList to specify trusted IP addresses or ranges for situations like having users behind a proxy.

Block settings

Brute-force protection’s block settings determine if and how Auth0 blocks additional login attempts to a specific user account when brute-force detection is triggered. There are two options:
  • Block Brute-force Logins blocks additional login attempts to the given user identifier from the IP address that triggered brute-force protection. This is enabled by default.
  • Account Lockout blocks all login attempts to the given user identifier. This is disabled by default.

Notifications

If Send notifications to the affected users is enabled, Auth0 sends an SMS or email notification to a user when their account has been blocked. Auth0 sends an SMS to the user if they use a phone identifier in the login flow. SMS notifications are limited at a maximum of 1 per hour per identifier. Auth0 sends an email to the user if they have an email address associated with their account. Email notifications are limited at a maximum of 1 per hour per unique IP address. By default, blocked account email notifications contain a link that allows the user to unblock their account.

Remove brute-force protection blocks

Brute-force protection blocks remain in effect until one of the following events occurs.
  • Thirty (30) days pass from the last failed login attempt.
  • An administrator removes the brute-force protection block with the Management API using one of the following endpoints:
Tenant administrator blocks blocks are handled separately from brute-force protection blocks. Learn more about removing tenant administrator blocks.
  • An administrator raises the brute force threshold.
  • The affected user selects the unblock link in the email notification, if configured.
  • The affected user changes their password. If a user’s account is linked through multiple connection types, like an OTP account and a database account, they must change their password on all linked accounts in order to remove the block.

Learn more