Hi,
We are using the New Universal Login.
When the user’s account is manually blocked through the Auth0 management UI, the user trying to log in with the blocked account ends up in a redirecting loop between our app and login page without any information or reading why they cannot log in.
At first sight, this evokes buggy behavior without clear reasoning for what is happening in the app from the user’s perspective.
We would assume that the behavior will be similar when the user is being blocked by brute force protection in which case the message with reasoning is shown in the login UI.
Are there best practices or recommendations for improving this experience for users with blocked account or should this be considered a bug?
Welcome to the Auth0 Community and sorry for the late reply.
When blocking a user directly via the Dashboard there is currently no place to specify a concrete reason, so that is why no error message pops up when such a user tries to login. In order to also show an error message to specific users that are being blocked, it is recommended to use an Action to customize your message:
api.access.deny("You are being blocked to access this website");
For brute-fore protection in particular, the default error message that is being shown is:
Your account has been blocked after multiple consecutive login attempts
However, this is customizable as well. You can follow the steps from this Knowledge Article, but just locate the "user-blocked" object from the Raw JSON text editor to insert your custom text.
I hope this clarifies the situation.
Thanks,
Remus