Keycloak is erroneously showing brute force warnings in log

Keycloak appears to be erroneously thinking that a brute force login is occurring. This is in the log:
WARN [] (Brute Force Protector) KC-SERVICES0053: login failure for user xxx

We wrote a plug in to use SMS text messaging for the two factor confirmation code. The user is directly to a screen to enter their phone number. We call that the “setup phase”. In the action method that is called when the user submits that form, the auth session note that we use a flag to indicate that we are waiting for the user to confirm the code is gone. The Brute Force message is in the keycloak log. My theory is that Keycloak is clearing all auth session notes out because it things a brute force attack is occurring.

My question is what is triggering the brute force warning? All we have done is ask the user to select a country and enter a phone number.

Another question: Is my assumption correct that when the brute force attack is detected, the all session notes are cleared?