Brute-Force Unblock Link in Emails Consumed by Security Scanners

lihua.zhang · April 14, 2023, 7:42pm

Last Updated: Jul 3, 2024

Overview

There is an issue with the emails that are being sent when an account is blocked by Brute-Force Protection. Auth0 sends an email to the user whose account has been blocked, but when the user clicks on the unblock link in the email, they will get this error:

The URL can be used only once.

However, when checking the user’s profile, the account appears as unblocked.

Applies To

Brute Force Protection
Unblock account
Unblock Email

Steps to reproduce

The steps to reproduce the issue:

Enable brute force protection.
Trigger brute force protection as a test user.
Use the unblock link sent to their email.
Due to Safelinks or something similar, the email client must have consumed the link, and the The URL can be used only once error page is generated.
The user is, however, already unblocked.

Cause

3rd-party email security scanning software is activating the link.

Solution

Currently, there is no workaround for this particular issue. Make sure there is not a service that opens the unblock user link. A GET request consumes the links as of February 2024. Please leave feedback to our product team if it is desired to have links consumed with the POST requests.

Topic		Replies	Views
No Logs Left When Clicking Brute-Force Unblock Link Received via Email in Specific Environment Request Integration	0	42	September 24, 2024
Getting Authentication error "URL can be used only once' from the Brute-force blocked email Get Help attack-protection , brute-force-protection	2	32	March 31, 2025
Unblocking Email Get Help attack-protection , brute-force-protection	6	1234	May 30, 2023
Unblock account email link -> error page url already used Get Help bug , blocked-account	4	4158	October 29, 2024
Error “Your Account has been Blocked After Multiple Consecutive Login Attempts” Knowledge Articles security , brute-force , attack-protection , brute-force-protection	1	23044	July 28, 2022