Auth0 Home Blog Docs

Block user after 3 attempts of login

Hi everyone, I am trying to implement Auth0 in my app but I am facing some problems trying to block the user when attempting to login 3 or more times.

So far I discover the following:

  • Brute force: Not the same because it blocks the IP instead of the user.
  • Breached password detection: Not needed at all for now.
  • Rules: Are supposed to be triggered AFTER the user authenticates SUCCESSFULLY, so im not able to get failures for counting.

From my perspective this is a extremely basic feature, specially for a platform such this one. Am I missing something? Have anyone faced the same issue and is able to give me a hint?

Hey there @cristian.ames!

Looking at our stack it seems like the best tool for it should be Anomaly Detection (Bruteforce protection)

It will block all login attempts from that user from that IP, but any other user will still be able to login from any other IP. In the user profile you have a blocked_for array that mentions all the IPs blocked for that user.

Let me do some research on that!

Hi Conrad, thanks for checking in. I though the same at first but since I need to block the users instead this solution don’t work for my case. Besides that this ir by IP so if I change from computer or proxy I could have endless tries.

I need to block the user after 3 attempts of failed logins.

Maybe using rules or something?
Do you have some snippet of code to do that?

Unfortunately we don’t have such code snippet as far as I know. Let me work the best way for you how to handle that!

So we’ve discussed it internally and unfortunately it seems that if an attacker switches indefinitely its IP he can continue the attack. We are working on new features on the anomaly detection side of things to avoid this but unfortunately I’m not able to disclose any ETA.

Thanks a lot for bringing that up, definitely a good product feedback for the team!

Sad to hear that it’s not implemented yet, but thanks for taking that into account.

Hope it come to prod soon rather than later.

Sure! Thanks a lot advocating for it!