Brute Force Protection Blocked User "User (email) attempted 10 consecutive logins unsuccessfully"

Problem statement

A user is blocked by Brute Force Protection. The log said:

“User (someone@example.com) attempted 10 consecutive logins unsuccessfully. Brute force protection is enabled for this connection, further attempts are blocked from this IP address for this user.”

Prior to this log message the user had many successful logins. The user did not see any failed login (wrong password) records.

Steps to reproduce

  1. Have a linked user (Username+Password and Google SSO)
  2. 5 Failed Logins with Username+Password
  3. 1 Successful Login with Google SSO
  4. Again, 5 Failed Logins with Username+Password
  5. The user is blocked by Brute Force Protection

Troubleshooting

  • Query the logs by username (email):

user_name:“someone@example.com

  • Check if the user has linked accounts.
  • Search for /usernamepassword/login logs in OpenSearch

Solution

The successful login with linked accounts (for example, Google SSO) does not reset the failed login count for Brute Force Protection. As a result, there can be successful logins with linked accounts, while the username and password authentication keeps failing.