Problem Statement
We noticed that for the locked users due to multiple incorrect login attempts (username + password), the account shows as blocked in Auth0, but when the users try to log in with biometrics, they can log in successfully.
Steps to Reproduce
- Enable Brute Force Protection → can customize how many attempts before block and enable Account Lockout
- Enable MFA → WebAuthn with FIDO Device Biometrics
- Dashboard → Authentication → Authentication Profile → set Identifier First + Biometrics
- Make a first successful login to set the biometrics
- Fail n login attempts until the user is blocked and use the “Use Fingerprint or Face Recognition” link.
- Now you can log in with biometrics
Solution
Currently, this is the expected behavior. The brute force lock is for trying usernames/passwords (to prevent credential stuffing). The biometrics method is a valid authentication method and not expected to be blocked.