We are following lazy migration approach for a project, and sometimes users who exists in our db, but not on Auth0, are blocked by brute force protection.
They see a message that they will receive an unblock email, but they do not receive one.
Is this the expected behaviour? The email works fine for users who are migrated to Auth0.
Hi @shivam.jain,
Thanks for reaching out to the Auth0 Community!
You will need to enable the Send notifications to the affected users feature in your Brute Force Protection settings on the Auth0 Dashboard.
Once that is complete, your users will get an email to unblock themselves.
See Brute-Force Protection for more details.
Hoped this helps!
Please let me know if you have any further questions.
Thank you.
Hi @rueben.tiow, thanks for you reply.
We have already turned on the flag, and users who are migrated to Auth0 are receiving the email.
My question is about users who are yet to be migrated to Auth0.
They exist on my application, but after 5 incorrect attempts, they are blocked on Auth0 and Auth0 doesn;t send them an email. Is this expected?
Hi @shivam.jain,
Thank you for your response.
AFAIK, the user can only be blocked if they exist in the Auth0 database. You mentioned that the user is blocked on Auth0, could you please clarify if you see the blocked user profile in your list of users?
Moreover, the user can unblock themselves by performing a Password Reset.
I am looking forward to your reply.
Thanks.
Hi @rueben.tiow, we are following lazy migration, and there are users who exists in our database, but not migrated to Auth0 yet. So if a unmigrated user tries to login, and attempts 5 incorrect attempts, they are blocked on Auth0, but since they are not migrated yet, they dont receive an email.
Hope that clears your question.
Hi @shivam.jain,
Thank you for your response and clarification.
Firstly, I noticed you mentioned that the user gets blocked after 5 incorrect login attempts. However, by default, the Brute Force Protection login threshold setting is set to 10. I’m guessing there was a time where you changed the login threshold and set it to 5.
Given that, could you please double-check that you have enabled the Send notifications to the affected users switch?
After enabling this switch, your blocked users can unblock themselves through the unblocking email.
Please let me know how this goes for you.
Thank you.
