Overview
The user or an IP address is blocked by the Attack Protection features – Brute Force Protection, Suspicious IP Throttling, or Breached Password Detection – but the user did not receive the notification email, or there was no tenant log event (limit_wc, limit_mu, and pwd_leak) generated every time.
For example, the email was sent for the first time, but no email was sent afterward if there were more failed login attempts.
Is there a timing window when the email is sent again?
Apples To
- Attack Protection
- Brute Force Protection
- Suspicious IP Throttling
- Breached Password Detection
Solution
When the Auth0 Attack Protection features are activated, depending on the tenant configurations, a certain set of actions, such as blocking the user, throttling the IP addresses, notifying the user or admin, etc., will be taken.
Some of the actions are taken only once in a certain time window, which is designed to protect the user and Auth0 from attacking traffic.
The table below gives the details:
| Block Further Login Attempts, User Account, or Offending IP | Email the Affected User | Email the Tenant Admin | Tenant Log | |
|---|---|---|---|---|
| Brute Force Protection | Always | Throttled | N/A | Throttled |
| Suspicious IP Throttling | Always | N/A | Throttled | Throttled |
| Breached Password Detection | Always | Throttled | Throttled | Throttled |
Always - If the action is enabled, it is always actioned.
Throttled - If the action is enabled, the action is throttled to happen only once in a certain time window.
NOTE: Actions listed in the above table can be customized to be enabled/disabled in the tenant. The “Always” or “Throttled” described in the above table only applies when that action is enabled.