Blocked user able to login via Biometrics

Problem Statement

We noticed that for the locked users due to multiple incorrect login attempts (username + password), the account shows as blocked in Auth0, but when the users try to log in with biometrics, they can log in successfully.

Steps to Reproduce

  • Enable Brute Force Protection → can customize how many attempts before block and enable Account Lockout
  • Enable MFA → WebAuthn with FIDO Device Biometrics
  • Dashboard → Authentication → Authentication Profile → set Identifier First + Biometrics
  • Make a first successful login to set the biometrics
  • Fail n login attempts until the user is blocked and use the “Use Fingerprint or Face Recognition” link.
  • Now you can log in with biometrics


Currently, this is the expected behavior. The brute force lock is for trying usernames/passwords (to prevent credential stuffing). The biometrics method is a valid authentication method and not expected to be blocked.