Auth0 Home Blog Docs

Detect invalid login attempts and lock user in a rule


I have a requirement from a customer to block or force a password change after 5 invalid login attempts. Brute force is not configurable. How can I do this in a rule or other way?


Hey there @jstevenson! You can setup a rule that forces the end user to change their password after X amount of failed attempts. It’s also important to note that after 10 failed attempts from the same IP address Brute Force protection kicks in as described here. Please let me know if this helps answer your questions. Thanks!


I wanted to follow up @jstevenson and see if you had any further questions on the subject. Thanks!


How do I know when an invalid login attempt happens and how do I know when those failed logins reach a limit?


I was able to confirm with support @jstevenson that Anomaly Detection should notify all tenant admins in the event of those failed logins reached.