Last Updated: Dec 3, 2024
Overview
The tenant has Brute Force Protection enabled. It has been noticed that it does not work as expected when a VPN is used.
Here is a list of steps to illustrate the problem:
- Log in to the website at “example.com” and deliberately enter the wrong password until the account is blocked.
- Then, try logging in using a different IP address (for example, using a VPN or another computer on a different network).
- Enter the correct username and password. The system will allow the login via this new IP address.
This article clarifies why the login is permitted in the circumstances described above and how to change this behavior.
Applies To
- Brute Force Protection
- Brute Force Protection Response
- Security
- Tenant Login
Cause
This is not a defect. It is the intended behavior.
Solution
There is the choice of permitting login from a new IP address, even though the account may initially appear to be blocked. This behavior may be justifiable in some circumstances, so we give customers that option.
However, there is another option in the dashboard that enables the blocking behaviour to be more strictly enforced.
Within the dashboard, go to the Brute Force Protection configuration screen:
- Scroll down to the Response section and see the option “Account Lockout” . If this toggle is enabled, then Auth0 will Lockout an account, regardless of IP Address, whenever we detect numerous unsuccessful login attempts.
