Problem statement
Activating the Block compromised user accounts under Response Block Setting in Attack protection - Breached Password detection does not appear to result in blocking the user account. When looking at the user’s account details in the Auth0 dashboard, there is no indication that this account is blocked, like in a scenario such as Brute Force protection.
Solution
This behavior is functioning as designed. The Breach Password Detection feature checks the user’s password during every log-in. There is no flag in the user’s account that can be cleared as in other scenarios, such as Brute Force protection. Therefore, when reviewing the user’s account, it appears as not blocked. However, the login will continue to be blocked until the user changes their password.