Last Updated: Sep 26, 2024
Overview
SMS passwordless users can be blocked by Brute force attack protection, but they do not receive any notification that they have been blocked, nor do they get any link to unblock themselves, despite the “Send notification to the affected users” option being turned on under the brute-force protection settings section. This also includes SMS passwordless users account linked to an email passwordless user.
Affected users cannot unblock themselves.
Applies To
- Brute Force Attack
- Blocked Users
- SMS Passwordless Login
Cause
This is a current limitation of Brute Force protection for SMS passwordless users.
Solution
Follow the steps or video below:
For now, tenant admins can unblock these users through the following steps:
- To find the phone number, look for the user triggering brute force protection by searching for:
The user_name and description should contain the user’s phone number.type:"limit_wc" AND connection:"sms" - With the user’s phone number, the admin can check if they can see a block on the phone number from the Auth0 Dashboard within the User Management > Users section. The Management API can also be used using this endpoint and pass the phone number as the identifier. Check out this link for more details.
- A tenant admin can then remove the block with the “Unblock” button in the User Management section of the Auth0 Dashboard under Actions > “Unblock for all IPs”. You can also remove a block with the Management API. Please check out this link for more details.
If log streams are configured (highly recommended) then perhaps a trigger could be created on the log stream provider end to listen for the above tenant log events so the information can be pushed to administrators to pro-actively review and unblock SMS Passwordless users.