Problem Statement:
When Brute Force Attack Protection blocks the users, they do not receive any notification that they have been blocked, nor do they get any link to unblock themselves.
Solution:
This is a current limitation of Brute Force protection for SMS Passwordless users. We have a backlog item to address this issue.
For now, tenant admins can unblock these users through the following steps:
- If they do not have the phone number, they can look for the user triggering brute force protection by searching for
type:limit_wc
. Theuser_name
anddescription
should contain the user’s phone number. - With the user’s phone number, the admin can check they can see a block on the phone number using this endpoint and passing the phone number as the identifier: https://auth0.com/docs/api/management/v2#!/User_Blocks/get_user_blocks
- They can then remove the block by using the DELETE endpoint: https://auth0.com/docs/api/management/v2#!/User_Blocks/delete_user_blocks