Rule: detect failed login and count

tbskibd · January 4, 2021, 10:00pm

Hi,

I have a requirement to lock users after 5 failed attempts, and from my research in the Docs etc seems I need a custom rule.

I came across context.stats.loginsCount as a suggestion to use for the logic, however I can’t see HOW is this supposed to help me detect that the login is fail or success?! Anyone???

I’ve been digging through the documentation and cannot find anything that will help me (useless documentation not explaining in details what are the variables / properties on https://auth0.com/docs/rules/context-object) for example.

Auth0 seems to NOT provide full docs when they are needed, so I’m turning to the forum (where I’ve yet to find something helpful)

Thanks

konrad.sopala · January 5, 2021, 1:14pm

Hey there!

Actually we have a feature that is called Anomaly Detection and one of the sub-features is Brute Force Protection. It allows you to block somebody after 10 consecutive failed login attempts for the same user originate from the same IP address.

More on that here: https://auth0.com/docs/attack-protection/brute-force-protection

tbskibd · January 10, 2021, 8:16pm

Hi Konrad,

thank you for your reply, however as I mentioned in the message, I have read the documentation and had a proper dig into the details and your answer is not an acceptable solution. I am aware of the “default” Brute Force Protection. This does not allow me in any way to change the number of consecutive attempts according to my requirements and therefore does not solve my problem.

I guess the obvious answer here is there is no way to incorporate a custom “lock account after {x} consecutive failed login attempts”.

Thanks

rvdberg · January 10, 2021, 8:15pm

Hey!

Rules only run ‘after’ a successful login. As such, a rule will not be able to help you in the failed login scenario.

What would actually be a viable solution is to use Log Streaming to act upon the ‘Failed Login’ log events. It would involve some work, but it can definitely be done.

We’re using the log streaming to AWS Eventbridge for example, which triggers a Lambda function that acts upon the information. In our scenario we’re listening to signup events, but this setup could also work for the other types of log events.

Hope it helps!

tbskibd · January 6, 2021, 7:40pm

Hi rvdberg,

thank you for the suggestion, that sounds like a viable option. I’ll look into this. Thanks again!

konrad.sopala · January 10, 2021, 8:15pm

Yep unfortunately right now there’s isn’t an easy out of the gate solution in our stack that will allow you to customise the number of failed logins after which users should be blocked. You can always use our product feedback form to file in a feature request: