What happens if Suspicious IP Throttling and Brute-force Protection Maximum Attempt values are the same?

Problem statement:

If the maximum attempts for suspicious IP Throttling and Brute-force Protections settings have the same value, and a user fails to log in and reach Maximum Attempts, does one of the settings take precedence over the other or will both settings be honored?

Solution

When Suspicious IP Throttling and Brute-force Protection are enabled, both settings are honored. The difference is that:

  1. Maximum Attempts for Suspicious IP Throttling:
    โ€“ The velocity of login attempts from an IP for any number of accounts against a tenant. Blocks the IP address.
    โ€“ To unblock users from suspicious IP throttling, use the Management API Delete IPs by ID endpoint

  2. Maximum Attempts for Brute-force Protection:
    โ€“ The velocity of login attempts from an IP for a particular account. Blocks the User.
    โ€“ To unblock users from Brute-force protection, use the Management API Delete User blocks by ID endpoint

If a user is blocked from Brute-force Protection, they will remain blocked until one of the following event occurs:

  • The affected user selects the unblock link in the email notification (if configured).
  • The affected user changes their password (on all linked accounts).
  • An administrator removes the block.
  • An administrator raises the login threshold.

Note, if the IP gets blocked due to Suspicious IP Throttling, only the administrator can unblock it via Management API. (Auth0 Management API v2)

If both blocks happen simultaneously, the Admin would need to unblock the IP, before the user can unblock their account by changing the password or clicking the unblock link in their email.

Reference Materials:

1 Like