Hello 
I use Auth0’s Universal Login for a Single Page Application, and sometimes multiple users sign in from the same IP address because they are on the same network.
Recently, I encountered the following error:
Someone behind the IP address: <IP_ADDRESS> attempted too many consecutive logins with different usernames. A shield to prevent this attack is enabled, further attempts are blocked from this IP address.
I understand this error since I have Attack Protection enabled, and I expect it after multiple failed login attempts. However, it seems the block is triggered before reaching the 10 failed attempts I configured for the tenant in the dashboard.
How does this block mechanism work? What events contribute to increasing the failed attempt count?
I’m attaching a log extract filtered by IP address and log event types type:s OR type:f* OR type:fu OR type:limit_mu to help clarify my case.
Log
| timestamp | description | type |
|---|---|---|
| 2024-10-18T14:36:20.333Z | null | s |
| 2024-10-18T14:47:09.909Z | null | s |
| 2024-10-18T14:48:26.070Z | null | s |
| 2024-10-18T14:54:27.674Z | Login required | fsa |
| 2024-10-18T14:54:41.755Z | Login required | fsa |
| 2024-10-18T14:54:48.140Z | null | s |
| 2024-10-18T14:55:31.096Z | Multifactor authentication required | fsa |
| 2024-10-18T14:55:35.616Z | Multifactor authentication required | fsa |
| 2024-10-18T14:59:08.072Z | Wrong email or password. | fu |
| 2024-10-18T14:59:11.258Z | Wrong email or password. | fu |
| 2024-10-18T14:59:14.706Z | Wrong email or password. | fu |
| 2024-10-18T14:59:20.946Z | Wrong email or password. | fu |
| 2024-10-18T14:59:22.995Z | Wrong email or password. | fu |
| 2024-10-18T15:00:02.074Z | null | s |
| 2024-10-18T15:01:22.046Z | null | s |
| 2024-10-18T15:01:55.095Z | The user already exists. | fs |
| 2024-10-18T15:02:44.877Z | null | s |
| 2024-10-18T15:04:53.838Z | Multifactor authentication required | fsa |
| 2024-10-18T15:04:54.195Z | null | s |
| 2024-10-18T15:05:03.403Z | Multifactor authentication required | fsa |
| 2024-10-18T15:05:04.483Z | Multifactor authentication required | fsa |
| 2024-10-18T15:05:55.312Z | null | s |
| 2024-10-18T15:07:32.188Z | Wrong email or password. | fu |
| 2024-10-18T15:07:41.217Z | Multifactor authentication required | fsa |
| 2024-10-18T15:07:41.546Z | null | s |
| 2024-10-18T15:07:53.354Z | Someone behind the IP address: <IP_ADDRESS> attempted too many consecutive logins with different usernames. A shield to prevent this attack is enabled, further attempts are blocked from this IP address. | limit_mu |
| 2024-10-18T15:10:46.921Z | Multifactor authentication required | fsa |
| 2024-10-18T15:10:47.200Z | null | s |
| 2024-10-18T15:13:53.898Z | Login required | fsa |
| 2024-10-18T15:15:44.481Z | Login required | fsa |
| 2024-10-18T15:19:26.176Z | Login required | fsa |
| 2024-10-18T15:41:52.866Z | Login required | fsa |
| 2024-10-18T15:53:50.718Z | Login required | fsa |
| 2024-10-18T16:09:28.844Z | Someone behind the IP address: <IP_ADDRESS> attempted too many consecutive logins with different usernames. A shield to prevent this attack is enabled, further attempts are blocked from this IP address. | limit_mu |
| 2024-10-18T17:06:26.482Z | null | s |
| 2024-10-18T17:12:16.493Z | Login required | fsa |
| date | description | event type |
Thanks in advance for your help.