Trying to unsuccessfully login 20 times doesn't throw too_many_attempts exception anymore?

yevheniy.rohozhnikov · March 16, 2021, 3:28am

Hi,

I would like to get some help with the Brute-Force Protection.

With the old Auth0 Dashboard UI I had the ability to enable/disable blocking a user if they entered a password incorrectly 20 times.
An exception that I used to get was “too_many_attempts”.
Now it’s no longer an option. Based on this doc: Brute-Force Protection only specific IP addresses will be blocked after 10 attempts, but there is no option to block the User.
I still can see this error In common Errors: Common Auth0 Library Authentication Errors.
I need your help to figure out what’s triggering it now.

I remember this functionality there before

konrad.sopala · March 17, 2021, 2:18pm

Hey there!

So you’re saying that you have Brute-Force protection enabled and with more than 10 unsuccessful login attempts it’s not blocking the user?

yevheniy.rohozhnikov · March 17, 2021, 2:38pm

Hi Konrad,

It’s blocking the IP address after 10 unsuccessful logins for a specific email. Not the User, which means I still can log in if I have a different IP address and correct email/password. (This is working as expected)

But, what I’m looking for is the old functionality. It used to block a User after 20 unsuccessful logins, not the IP, but the user. The user used to receive an email that stayed something like - too many attempts were unsuccessful and there was ability to unblock.
When this error happened before, we used to see too_many_attempts error.

konrad.sopala · March 17, 2021, 2:40pm

Gotchya! Let me research if that feature is still there!

konrad.sopala · March 17, 2021, 3:44pm

Hmm can’t seem to find any reference regarding that and as far as I remember (I’ve been working here since October 2018) I don’t remember such feature. Do you remember if it was associated with Brute-Force protection or maybe rules or something?

yevheniy.rohozhnikov · March 17, 2021, 5:11pm

I don’t remember, if this was part of the Brute-Force or not, as the UI has changed. But I have enabled this feature under the Security. It was working a few months ago and for sure, this wasn’t a Rule error.

When we tried to log in unsuccessfully 20 times or more, we would get “too_many_attempts” exception.
You also can see this exception in “Common Auth0 Library Authentication Errors” under “Log in” section Common Auth0 Library Authentication Errors

konrad.sopala · March 17, 2021, 6:02pm

Let me try to dive deeper into it! I’ll get back to you soon!

konrad.sopala · March 18, 2021, 10:47am

Hey there!

Managed to discuss it internally you might be talking about the second bullet point here:

konrad.sopala · March 18, 2021, 10:47am

It’s more of a rate limit rather than a block

yevheniy.rohozhnikov · March 18, 2021, 3:07pm

Thanks for looking into this.
The rate limit is nice functionality, but unfortunately, this isn’t something that I was referring to. Before we had a functionality that would block a user after 20 unsuccessful attempts and it would throw too_many_attempts exception. I know I don’t provide any new information, but this is what I have.

If you can’t find it. Do you know if there is a way to simulate this behavior?
Thanks.

konrad.sopala · March 29, 2021, 9:46am

Unfortunately as of now, I don’t see any features in our stack nor any API endpoints that will allow you to stimulate that

system · April 13, 2021, 9:46am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.