Overview
The brute force attack protection mechanism does not trigger notifications or provide self-service unblocking options for SMS passwordless users when an account is blocked. This occurs even if the Send notification to the affected users setting is enabled. The limitation extends to SMS passwordless accounts that are linked to email passwordless accounts.
Applies To
- Brute Force Attack
- Blocked Users
- SMS Passwordless Login
Cause
This is a current limitation of Brute Force protection for SMS passwordless users.
Solution
Follow the steps or video below:
Currently, tenant administrators can manually unblock affected SMS passwordless users using the Dashboard, following the steps below:
-
Find the blocked user’s phone number by searching the tenant system logs for the following event
type:"limit_wc" AND connection:"sms"NOTE: The user_name or description fields should contain the phone number.
-
Navigate to User Management > Users in the Auth0 Dashboard
-
Search for the user using the phone number identified in the logs.
-
Select the blocked user’s profile.
-
From the Actions menu, select Unblock for all IPs
Alternatively, the Management API can also be used to unblock the user:
- Check if a user is blocked using the phone number as the identifier using the GET /v2/user-blocks Management API endpoint.
- Remove a user block using the DELETE /v2/user-blocks Management API endpoint.
Proactive Monitoring: If log streaming is configured, consider creating triggers within the log stream provider to monitor for the log events mentioned in step #1. This allows administrators to identify and unblock affected SMS passwordless users proactively.