We are facing an issue with the Auth0 Forgot Password API being abused through what appears to be a brute-force style attack.
Currently, the API is receiving nearly 1000 requests from the same IP, which results in thousands of password reset emails being triggered. This is causing email flooding and a poor user experience.
We have already enabled Brute-Force Protection in the Auth0 Dashboard with the default configuration. However, the protection does not seem to be limiting or blocking these repeated requests as expected.
Our requirement:
We want to restrict the Forgot Password API to:
A maximum of 3 requests per IP address within a defined time window.
Automatically block or throttle further requests from the same IP.
Questions:
Why is Brute-Force Protection not restricting Forgot Password API calls in this scenario?
Is there a specific setting or rule required to enforce IP-based rate limiting for the Forgot Password endpoint?
What is the recommended Auth0 best practice to prevent mass password reset email abuse?
Please let us know the correct configuration or any additional security controls we should apply at the Auth0 level to resolve this issue.
We appreciate your support in helping us secure this endpoint.
The reason Brute-Force Protection is failing to stop this attack is that its architecture is designed to trigger based on failed authentication attempts (wrong passwords) against specific user accounts, so it won’t block an IP that is spreading its attempts across thousands of different email addresses.
To stop an IP-based flood of 1,000 requests, you must shift the defense to use Suspicious IP Throttling which blocks traffic from any IP address that rapidly attempts too many logins or signups and helps protect your applications from high-velocity attacks that target multiple accounts and Bot Detection which mitigates scripted attacks by detecting when a request is likely coming from a bot. These features are tenant-wide and are designed to monitor traffic velocity and non-human behavior across your entire tenant rather than individual account failures.
While Auth0 does not allow you to set a custom “3 requests per IP” rule directly for the Forgot Password endpoint, you can achieve a similar result by configuring the Suspicious IP Throttling custom detection settings, such as Login or Signup Thresholds by setting the Maximum Attempts to a low value (e.g., 5 to 10) and adjust the Throttling Rate (e.g., 100 per day). This ensures that if an IP hits your tenant’s public endpoints too quickly, it will be blocked.
For Bot Detection set the requirement to Always. This forces every “Forgot Password” request to pass a risk-score check. If the request is from a script, it will be challenged with a CAPTCHA or blocked, effectively stopping the 1,000-request automation regardless of the IP.
By combining these 2 security features you will follow Auth0’s best practice for safeguarding your applications against these type of threat.
I hope this helps, and if you have further questions please let me know!
Best reagards,
Remus