I found in the docs that a blocked user can get automatically unblocked after 30 days since their last unsuccessful login. Is there any way to turn this feature off, or extend the 30 day window? Ideally we would like users to only be able to be unblocked via the manual action of an admin.
Failing that, is there any way you would suggest to handle extending a user’s blocked period until admin intervention?
You can turn this feature off by going to your Auth0 Dashboard → Security → Attack Protection → Brute-force Protection and there will be a toggle on the right hand side where you can enable/disable that
Unfortunately as of now the period cannot be extended but you can advocate for that using our Feedback category here: Feedback - Auth0 Community
Currently it is not doable to achieve precisely what you want because of the fact that this part of our stack is not highly customisable because of security reasons and kind of the fact that in this form as it stands right now it’s an ultimate flow for most of the cases that our users have.