Brute-Force unblock link in emails consumed by security scanners

Problem statement

Users see the below error when clicking on the unblock link they receive in the email that’s triggered by Brute-Force Protection. However, if checking the user profile, the account was unblocked.

The URL can be used only once

Steps to reproduce

  1. Enable brute force protection.
  2. Trigger brute force protection as a test user.
  3. Use the unblock link sent to their email.
  4. Due to Safelinks or something similar, the email client must have consumed the link. And you get the “This URL may only be consumed once” error page.
  5. But the user is already unblocked.


Our engineering team is aware of this issue, and there is a backlog item to track this progress. We currently don’t have a workaround, but we will update this FAQ once further progress is available.

1 Like