SMS Passwordless users not receive notification when blocked by Brute Force Attack

Problem Statement:

When Brute Force Attack Protection blocks the users, they do not receive any notification that they have been blocked, nor do they get any link to unblock themselves.

Solution:

This is a current limitation of Brute Force protection for SMS Passwordless users. We have a backlog item to address this issue.

For now, tenant admins can unblock these users through the following steps:

  1. If they do not have the phone number, they can look for the user triggering brute force protection by searching for type:limit_wc. The user_name and description should contain the user’s phone number.
  2. With the user’s phone number, the admin can check they can see a block on the phone number using this endpoint and passing the phone number as the identifier: Auth0 Management API v2
  3. They can then remove the block by using the DELETE endpoint: Auth0 Management API v2
1 Like