Auth0 Home Blog Docs

"Improved brute force protection"

username-password-co

#1

We have a username/password database setup for our users and on our production instance there is a setting called Improved brute force protection (limit number of failed attempts from an IP address). We don’t have this setting on our test environment and we do have the Anomaly detection brute force shield enabled in both environments. What does this other setting on the specific connect do?? I cannot find any documentation for that specific setting online for the life of me. Is there a way to limit the number of attempts (default is 10 from what i can tell)?


#2

@dhettinger1 to be honest I am not sure I can see the term Improved brute force detection on my tenant. Can you take a screen grab of that for me? That might help jumpstart my memory.

As as your other questions:

I am familiar with two levels of BF protection:

Level 1: when a single IP address has 10 consecutive failed login attempts in a row that IP address will be blocked from trying to login as that user until the person who owns the email address for that user unblocks them.

Level 2: When a single IP address tries logging into many accounts. The 101st failed login attempt will block that IP address from being logged in for any account. Instead of the account owners being notified of a block the dashboard admins will be notified of the block. This level also supports whitelisting certain IPS, for example if your company presents a single public IP for all of its users you may want to white list that IP.

In both levels you do not have any control over the number of blocked attempts. It is defaulted by Auth0.