> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to brute-force protection works in Auth0 and how to configure responses.

# Brute-Force Protection

<Tooltip tip="Brute-force Protection: Form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account." cta="View Glossary" href="/docs/glossary?term=Brute-force+protection">Brute-force protection</Tooltip> safeguards your tenant against attackers who use a single IP address to target a single user account. By default, Brute-force protection is enabled when you create an Auth0 tenant.

When a given IP address tries and fails multiple times to log in as the same user, brute-force protection:

* Blocks the suspicious IP address from logging in as that user.
* Sends a [notification](#notifications) to the affected user.

<Warning>
  Brute-force protection safeguards apply to all users, including tenant administrators. Ensure your tenant has a secondary administrator in order to unblock other administrator accounts.
</Warning>

## Block removal events

If an IP address is blocked due to brute-force protection, it remains blocked until one of these events occurs:

* An administrator [removes the block](https://auth0.com/docs/api/management/v2/#!/User_Blocks/get_user_blocks).
* An administrator raises the **Brute Force Threshold** described below.
* Thirty (30) days pass from the last failed login attempt.
* The affected user selects the unblock link in the email notification (if configured).
* The affected user changes their password (on all linked accounts).

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  In cases where a user's account (email) is linked through multiple connections, such as an OTP account and a database account, and they change their password on only one, the block will not be removed. The user must change their passwords on each account (connection type).
</Callout>

## Brute Force Threshold behavior

Auth0 applies brute-force protection for a given [user identifier](/docs/authenticate/database-connections/flexible-identifiers-and-attributes#attribute-and-identifier-definitions) after that user consecutively fails to authenticate a number of times equal to your configured **Brute Force Threshold**.

Auth0 applies these protections immediately after we complete the processing of the failed login attempt that meets the threshold.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  If you're using an Auth0 SDK that uses asynchronous methods, you may notice that a user identifier can submit more authentication requests successively to your application than your configured **Brute Force Threshold**.

  Although it appears that your threshold is not being enforced, Auth0 immediately applies brute-force protection after we receive and process the request that meets the **Brute Force Threshold**, and then responds to any subsequent requests from the given user identifier with an HTTP 429 [too\_many\_attempts error](/docs/libraries/common-auth0-library-authentication-errors#sign-up).
</Callout>

## Configure brute-force protection

Auth0 strongly recommends that you do not disable brute-force protection for the connection. If you disable it, you can enable it again using the Dashboard.

<Warning>
  Enabling attack protection features without any response settings enabled activates Monitoring mode, which records related events in your tenant log only. To learn more, read [View Attack Protection Log Events](/docs/secure/attack-protection/view-attack-protection-events).
</Warning>

1. Go to [Dashboard > Security > Attack Protection](https://manage.auth0.com/#/security/attack-protection) and select **Brute-force Protection**. Enable the toggle at the top of the page if it is disabled.
2. In the **Detection** section:

   1. Under **Brute Force Threshold**, select **Default** to set the attempts threshold to 10 or select **Custom** to set the attempts threshold to a value between 1 and 100.
   2. Under **Manage IP Addresses**, enter the list of trusted IP addresses in the **IP AllowList** field. Brute-force protection will not be enforced for login attempts originating from these IP addresses.
3. In the **Response** section:

   1. Under **Block Settings**, enable the **Block Brute-force Logins** toggle to block attempts from suspicious IP addresses to safeguard against brute-force attacks that occur from a single IP address and target a single user identifier.
   2. Under **Block Settings**, enable **Account Lockout** to trigger blocks irrespective of IP address. When this setting is enabled and a user consecutively attempts and fails to login, future attempts to log in from that user identifier from any IP address will be blocked. You can adjust maximum attempts under **Brute Force Threshold**. By default, the Account Lockout toggle is disabled.
   3. Under **Notifications**, enable the **Send notifications to the affected users** toggle to send an email notification to the user when their account has been blocked.
4. Click **Save**.

## Notifications

If **Send notifications to the affected users** is enabled, Auth0 sends an SMS or email notification to a user when their account has been blocked.

### SMS

Auth0 sends an SMS to the user if they use a phone identifier in the login flow. SMS notifications are limited at a maximum of 1 per hour per identifier.

### Email

Auth0 sends an email to the user if they have an email address associated with their account. Email notifications are limited at a maximum of 1 per hour per unique IP address.

By default, email notifications contain a link that allows the user to unblock their account. To learn more, read [Customize Blocked Account Emails](/docs/customize/email/customize-blocked-account-emails).

## Special use cases

Because brute-force protection depends on the IP address of the user, the following use cases require additional configuration.

### Resource Owner Password (ROP) flow

To ensure brute-force protection works correctly when using the ROP flow, you must configure your application to include the user’s IP address in requests using the `auth0-forwarded-for` header.

To learn more, read [Avoid Common Issues with Resource Owner Password Flow and Attack Protection](/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow/avoid-common-issues-with-resource-owner-password-flow-and-attack-protection).

### Proxies and shared IP addresses

Users behind a proxy are more likely to reach set limits and trigger brute-force protection.

Use the **IP AllowList** feature to exempt a specific IP address or CIDR range from triggering brute-force protection.

## Learn more

* [Flexible Identifiers and Attributes](/docs/authenticate/database-connections/flexible-identifiers-and-attributes)
* [Activate and Configure Attributes for Flexible Identifiers](/docs/authenticate/database-connections/activate-and-configure-attributes-for-flexible-identifiers)
* [Customize Blocked Account Emails](/docs/customize/email/customize-blocked-account-emails)
* [View Attack Protection Log Events](/docs/secure/attack-protection/view-attack-protection-events)
* [User/Password Authentication Rate Limits](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/database-connections-rate-limits)
