Hi @john.tram,
Welcome to the Auth0 Community!
Usually, blocked accounts are due to Auth0’s Attack Protection features. In this case, I suspect that Auth0’s Brute-Force protection feature blocked your end-user. When Brute Force protection blocks these users, an email is sent to them to unblock themselves.
Regarding your question on setting the login threshold, you can do so by configuring the Login Threshold option in the Brute Force Protection settings.
You may find our documentation on Configuring Brute Force useful: https://auth0.com/docs/configure/attack-protection/brute-force-protection#configure-brute-force-protection
Please let me know if you have any questions. I would be happy to help.