Password Breach and Brute Force Lockout Notifications and Unverified Emails

Overview

When using Auth0 Email verification, Email delivery management, and Notification settings, it is essential to manage how identity-related notifications are sent to users. This article addresses a common concern: whether these notifications, such as password breach alerts or brute force protection messages, are sent to unverified email addresses.

  • This can be problematic if users have not verified their email addresses, as sending notifications to incorrect or invalid addresses could result in delivery failures.
  • Repeated failures may lead to SMTP providers blocking email operations due to suspected misuse or spam.

Applies To

  • Email verification
  • Email delivery management
  • Notification settings

Solution

Currently, Auth0 sends password breach and brute-force lockout notifications to unverified email addresses. This behavior is by design and cannot be changed directly through the Auth0 platform.

Recommendations:

Third-Party Email Validation : Use third-party services to validate email addresses at the point of user registration. This can help identify and correct invalid email addresses before they are saved in your user database.

SMTP Configuration: Work with an SMTP provider to set up safeguards or alerts for delivery failures to prevent being blocked due to invalid email addresses.