Problem statement
The user or an IP address is blocked by the Attack Protection features – Brute Force Protection, Suspicious IP Throttling, or Breached Password Detection – but the user did not receive the notification email, or there was no tenant log event (limit_wc, limit_mu, and pwd_leak) generated every time.
For example, the email was sent for the first time, but no email was sent afterward if there were more failed login attempts.
Is there a time window for when the email will be sent again?
Solution
When the Auth0 Attack Protection features, depending on the configurations in the tenant, a certain set of actions, e.g., blocking the user, throttling the IP addresses, notifying the user/admin, etc, will be taken.
Some of the actions are taken only once in a certain time window, which is the designed behavior in order to protect the user and Auth0 from the attacking traffic.
The table below gives the details:
| Block Further Login Attempts, User Account, or Offending IP | Email the Affected User | Email the Tenant Admin | Tenant Log | |
|---|---|---|---|---|
| Brute Force Protection | Always | Throttled | N/A | Throttled |
| Suspicious IP Throttling | Always | N/A | Throttled | Throttled |
| Breached Password Detection | Always | Throttled | Throttled | Throttled |
Always - If the action is enabled, it is always actioned.
Throttled - If the action is enabled, the action is throttled to happen only once in a certain time window.
NOTE: Actions listed in the above table can be customized to be enabled/disabled in the tenant. The “Always” or “Throttled” described in the above table only applies when that action is enabled.