This article explains why the following error occurs when login attempts originate from a single IP address in environments where multiple users share the same external IP address, such as in corporate or shared network settings:

too many login attempts with different usernames

This issue is associated with the Attack Protection feature, which is intended to prevent password spraying or brute-force attacks but can inadvertently block legitimate user traffic.

• Attack Protection - Suspicious IP Throttling
• High volume of failed login attempts across different usernames
• Shared external IP address environments

IP address throttling occurs because Attack Protection - Suspicious IP Throttling is enabled with the setting "Limit high-velocity traffic targeting too many accounts." This protective measure temporarily blocks an IP address when there are too many login attempts with different usernames originating from that IP. The issue is often exacerbated when an account connection does not have brute-force protection enabled, allowing many failed attempts for different users to occur without blocking the individual accounts. A high volume of warning count events for consecutive failed login attempts with different usernames (event code limit_wc) from a single IP address triggers the subsequent Multiple-User limited (MU) IP throttle (event code limit_mu).

This section provides steps to identify the throttling event and mitigate the issue.

To identify the IP throttling event, use the Auth0 Logs:

1. Search the logs for the event code: limit_mu
   1. This event code indicates that a request was throttled because the IP address was Multiple-User limited (MU) with the message "too many login attempts with different usernames."
   2. The logs associated with this event contain the IP address that was throttled.
2. Search the logs for the event code: limit_wc
   1. This event code indicates a Warning Count for consecutive failed login attempts for different usernames.

To mitigate an issue with a critically blocked, trusted IP address:

1. Navigate to Security > Attack Protection > Suspicious IP Throttling.
2. Add the trusted IP address to the IP Allow List. This action immediately exempts the IP address from the specific throttling rule.

To gain better visibility and longer retention of blocked IP addresses:

• Utilize Log Streams with an external system (for example, an external webhook, Amazon Simple Storage Service (S3), Azure Event Grid, or Splunk).
• Export Auth0 logs in real-time to the external system to:
  • Persist the limit_mu events beyond the standard Auth0 retention period.
  • Build a real-time dashboard or alerts to monitor when new IP addresses are being blocked.
  • Track the frequency of the limit_mu events for a specific IP address to indirectly determine when the throttling has ended.

To address frequent issues with legitimate users being blocked due to shared IP addresses, consider the following actions:

• Review the connection to ensure that brute-force protection is appropriately configured for the affected connection to block individual accounts after a few failed attempts, which prevents the overall IP throttle.
• Adjust the thresholds in the Suspicious IP Throttling settings, but proceed with caution because this may reduce protection against attacks.

Related References

• Auth0 Log Streams Documentation.