Welcome back to the Auth0 Community!
Thank you for posting your question. In short, this feature works as expected, and it would be best if you could open a new thread in the feedback category with a proposition on how you would like Brute-force protection to work. Feedback
However, there’s a workaround that will not entirely solve the issue but will make the flow clear for the customer.
It is possible to add a static message to the login prompt indicating the maximum number of login attempts a user can make. If a tenant admin changes the tenant’s brute force protection thresholds, this would need to be updated separately.
For example: when using the Identifier First authentication profile, the “description” for the “login-password” screen could be edited to advise users they only have 5 total attempts before the account will be blocked. For an Identifier + Password authentication profile, this could be put instead on the “description” of the “login” screen → Customize Universal Login Text Elements
Thanks
Dawid