Brute Force Protection not Working with a Specific Connection

Problem statement

The users are labeled as blocked by Bruteforce but they can login normally.


  • After the allowed attempts the user is not notified about being blocked in the Login UI
  • The user is labeled as blocked
  • The identifier with the username or email of the user is within the list of BFP


This issue is related to connections with Brute Force disabled by Management API (the Dashboard toggle is hidden).


This flag can be changed with Management API as follows :

PATCH /api/v2/connections/:connection_id

{ "options": { "brute_force_protection": true } }

Note: By default the value brute_force_protection" is set to true. Check that brute force protection (BFP) in enabled for the connection(s) in the Dashboard with this toggle below the “Disable Sign Ups”.

You’ll see that it disappears after you enable the “Improved brute force protection” toggle. This is because the feature of enabling/disabling BFP within each connection will be deprecated, and it’s not supposed to appear. But, when it’s updated to “false” with the Management API, it appears to be re-enabled easily.