Multiple Failed Silent Auth (fsa) events may appear in the tenant logs, even when Suspicious IP Throttling and Brute-force Protection are enabled. This can lead to concerns about whether the Attack Protection features are working correctly, as they are expected to block an IP that fails to log in repeatedly.

• Silent Authentication

• Attack Protection

• Tenant Logs

Attack Protection features such as Suspicious IP Throttling and Brute-force Protection are not designed to be triggered by fsa events.

An fsa event occurs when a prompt=none request cannot be completed, most often because the user does not have an active session with Auth0. A high number of fsa events is common and does not typically indicate a malicious attack. These events can be caused by:

• A misconfigured application making excessive or unnecessary silent authentication requests.

• A "single logout" implementation that clears the user's session.

If a high volume of fsa events is observed, review the application's configuration to ensure that silent authentication calls are being made appropriately and are not excessive.