Trying to unsuccessfully login 20 times doesn't throw too_many_attempts exception anymore?


I would like to get some help with the Brute-Force Protection.

With the old Auth0 Dashboard UI I had the ability to enable/disable blocking a user if they entered a password incorrectly 20 times.
An exception that I used to get was “too_many_attempts”.
Now it’s no longer an option. Based on this doc: Brute-Force Protection only specific IP addresses will be blocked after 10 attempts, but there is no option to block the User.
I still can see this error In common Errors: Common Auth0 Library Authentication Errors.
I need your help to figure out what’s triggering it now.

I remember this functionality there before :slight_smile:

Hey there!

So you’re saying that you have Brute-Force protection enabled and with more than 10 unsuccessful login attempts it’s not blocking the user?

Hi Konrad,

It’s blocking the IP address after 10 unsuccessful logins for a specific email. Not the User, which means I still can log in if I have a different IP address and correct email/password. (This is working as expected)

But, what I’m looking for is the old functionality. It used to block a User after 20 unsuccessful logins, not the IP, but the user. The user used to receive an email that stayed something like - too many attempts were unsuccessful and there was ability to unblock.
When this error happened before, we used to see too_many_attempts error.

Gotchya! Let me research if that feature is still there!

Hmm can’t seem to find any reference regarding that and as far as I remember (I’ve been working here since October 2018) I don’t remember such feature. Do you remember if it was associated with Brute-Force protection or maybe rules or something?

I don’t remember, if this was part of the Brute-Force or not, as the UI has changed. But I have enabled this feature under the Security. It was working a few months ago and for sure, this wasn’t a Rule error.

When we tried to log in unsuccessfully 20 times or more, we would get “too_many_attempts” exception.
You also can see this exception in “Common Auth0 Library Authentication Errors” under “Log in” section Common Auth0 Library Authentication Errors

Let me try to dive deeper into it! I’ll get back to you soon!

1 Like

Hey there!

Managed to discuss it internally you might be talking about the second bullet point here:

It’s more of a rate limit rather than a block

Thanks for looking into this.
The rate limit is nice functionality, but unfortunately, this isn’t something that I was referring to. Before we had a functionality that would block a user after 20 unsuccessful attempts and it would throw too_many_attempts exception. I know I don’t provide any new information, but this is what I have.

If you can’t find it. Do you know if there is a way to simulate this behavior?

Unfortunately as of now, I don’t see any features in our stack nor any API endpoints that will allow you to stimulate that