SMS Passwordless Blocked by Brute Force Attack Fails to Notify User

Overview

The brute force attack protection mechanism does not trigger notifications or provide self-service unblocking options for SMS passwordless users when an account is blocked. This occurs even if the Send notification to the affected users setting is enabled. The limitation extends to SMS passwordless accounts that are linked to email passwordless accounts.

Applies To

  • Brute Force Attack
  • Blocked Users
  • SMS Passwordless Login

Cause

This is a current limitation of Brute Force protection for SMS passwordless users.

Solution

Follow the steps or video below:

Currently, tenant administrators can manually unblock affected SMS passwordless users using the Dashboard, following the steps below:

  1. Find the blocked user’s phone number by searching the tenant system logs for the following event

    type:"limit_wc" AND connection:"sms"

    NOTE: The user_name or description fields should contain the phone number.

  2. Navigate to User Management > Users in the Auth0 Dashboard

  3. Search for the user using the phone number identified in the logs.

  4. Select the blocked user’s profile.

  5. From the Actions menu, select Unblock for all IPs

Alternatively, the Management API can also be used to unblock the user:

Proactive Monitoring: If log streaming is configured, consider creating triggers within the log stream provider to monitor for the log events mentioned in step #1. This allows administrators to identify and unblock affected SMS passwordless users proactively.

1 Like