You will need to check if brute_force_protection option is set to true for those connections. If this attribute is missing or set to false it has to be set to true. Here are the instructions.
1- Get all the available connections for your tenant with get all connections management API.
2- Find the connection id and the options object for a connection you need to add brute_force_protection attribute . Here is an example from my tenant:
Connection id : con_KCVvhZ4XyXDM4OPf
{
"options": {
"mfa": {
"active": true,
"return_enroll_settings": true
},
"import_mode": false,
"configuration": {},
"disable_signup": false,
"passwordPolicy": null,
"password_history": {
"size": 5,
"enable": false
},
"strategy_version": 2,
"requires_username": false,
"password_dictionary": {
"enable": false,
"dictionary": []
},
"password_no_personal_info": {
"enable": false
},
"password_complexity_options": {
"min_length": 1
},
"enabledDatabaseCustomization": false
}
}
3- Use the existing options object above and add “brute_force_protection”: true as an additional attribute. Please note that you need to keep the existing fields in the options object otherwise they will be lost while patching the connection.
4- Call the update a connection management API using the connection id and the modified options object.
Here is the sample for the connection in step-2 with brute_force_protection option added.
{
"options": {
"mfa": {
"active": true,
"return_enroll_settings": true
},
"import_mode": false,
"configuration": {},
"disable_signup": false,
"passwordPolicy": null,
"password_history": {
"size": 5,
"enable": false
},
"strategy_version": 2,
"requires_username": false,
"password_dictionary": {
"enable": false,
"dictionary": []
},
"password_no_personal_info": {
"enable": false
},
"password_complexity_options": {
"min_length": 1
},
"enabledDatabaseCustomization": false,
"brute_force_protection": true
}
}
You will need to repeat these steps for all your connections listed below:
1- Auth0 DB
2- Auth0 DB with custom DB scripts
3- Active directory connections
4- Passwordless connections
For the connections which already have brute_force_protection set true , you may skip updating them obviously. For other connection types, like social and other enterprise connections you don’t need to make changes.