Overview
This article explains whether it is possible for Auth0 to include the number of remaining attempts in the API response when a user tries to log in with incorrect credentials.
- For example, if a user enters invalid credentials on their first attempt, can Auth0 respond with a message like, “Invalid credentials. You have 4 attempts remaining before your account is locked”? Is this achievable with both the Authentication API and Universal Login?
Applies To
- Brute force protection
- Universal Login
Solution
Universal Login does not currently support this, and responses for unsuccessful logins do not contain brute-force information on the number of tries remaining.
The following workaround can achieve similar results:
It is possible to add a static message to the login prompt indicating the maximum number of login attempts a user can make. If a tenant admin changes the tenant’s brute force protection thresholds, this would need to be updated separately.
For example: when using the Identifier First authentication profile, the “description” for the “login-password” screen could be edited to advise users they only have 5 total attempts before the account will be blocked. For an Identifier + Password authentication profile, this could be put instead on the “description” of the “login” screen: