Why does Brute Force Protection sometimes permit login when the account has been blocked?

Problem statement

We have enabled Brute Force Protection within our tenant. However, we have noticed that it does not work as we expected when a VPN is used.

Here is a list of steps to illustrate the problem

  1. I logged into our website at ‘contoso.com’ and deliberately entered the wrong password the configured number of times, until the the account was blocked
  2. I then attempted to login using a different IP address ( for example, use a VPN or another computer on a different network )
  3. I discovered that if I entered the correct password, we were allowed to login via this new IP address

We were very suprised by this behaviour. Why are we permitted to login from a different IP address, even though the account has been blocked?

Is there any way to change this behaviour?

Cause

This is not a defect. It is the intended behaviour.

Solution

Customers have the choice of permitting login from a new IP address, even though the account may initially appear to be blocked. This behaviour may be justifiable in some circumstances, so we give customers that option.

However, there is another option in the dashboard that enables the blocking behaviour to be more strictly enforced.

Within the dashboard, go to the Brute Force Protection configuration screen:

Scroll down to the Response section: there you will see an option ‘Account Lockout’ . If this toggle is enabled, then Auth0 will Lockout an account, regardless of IP Address, whenever we detect numerous unsuccessful login attempts.