Problem statement
We have many Failed Silent Auth that occur on our tenant. With Suspicious IP Throttling and Brute-force Protection enabled, shouldn’t these Attack Protection tools block an IP that fails to login repeatedly?
Cause
Attack Protection tools are not intended to be activated under these requests.
High rates of fsa would not typically indicate an attack. FSA occurs when it is not possible to complete a prompt=none request which is most often due to the user not having a session at auth0 already. It is fairly common for customers to have a high ratio of FSA events. FSA accounts for 25% of all our events emitted across the entire platform. In some cases, it is a poorly configured app that makes excessive silent auth requests. In other cases, it may be the result of a “single logout” type of implementation.
Solution
Please review on your side if they are making too much unnecessary Silent Authentication Calls.