I received a cold email outlining numerous security threats re: our implementation of Auth0. One involves a weak password; a decision we are reconsidering. Another is re: missing a rate limit on login.
The person attached a screenshot outlining multiple attacks and guessing the correct albeit weak password on the 173 attempt.
With Brute force protection I assumed this would be blocked after the 100th attempt but it clearly has not. Is this the case on our end or is IP based detection not sufficient enough?
It’s hard to question the correctness of such claims if the only thing they provided is a screenshot; From the screenshot alone the actual correct attempt (status 200) was request 180, however, previous requests show attempts for the same value (duplicates) which is weird.
Also, from the screenshot alone it’s impossible to know if the previous attempts were to the same user.
If you have enabled brute-force protection (both triggers) then by default 10 failed attempts for the same user and IP address will block that user+IP combination. In addition, an IP address may be significantly throttled if there are more than 100 attempts originating from that IP address and targeting multiple users (https://auth0.com/docs/anomaly-detection#brute-force-protection).
In conclusion, the information provided here and likely the information provided to you is insufficient for a more detailed analysis. There’s always the risk that someone is omitting details to make the situation look worse than it is, but a more definitive conclusion would require a more detailed report.
