Learn how to detect authentication anomalies with ThisData to improve login security.
Anomaly Detection is the process of identifying events which are out of place or unusual. Detecting anomalies in web applications can reveal signs of malicious activity or hackers, and responding to those anomalies automatically helps keep our users safe.
A common example is the email you might have gotten from Google or Facebook when you log in from a new computer or location. You usually log in using a MacBook from your beachfront office in Fiji, and now you're logging in from Siberia using Linux. The “was this you?” email is a result of anomaly detection, and in this post we're going to supercharge your Auth0 login process with ThisData's login intelligence to achieve the same results.
ThisData gives you real-time detection of account takeover for web and mobile apps. It identifies users based on context and notifies you or your users immediately if an account has been breached, just like Google.
In a previous guest post on the ThisData blog we learned how to use ThisData's anomaly detection rules to stop attackers from logging in to your user's accounts via Auth0.
In this post, you’ll learn how to implement Account Takeover Detection via ThisData in your Auth0 app in just 6 simple steps.
Let's Get Started
1. Sign Up for a ThisData Account
Browse to thisdata.com and create a free 30 day trial account, as shown below.
2. Get Your API Key
In the first step of ThisData's quickstart is your API key. Please make note of it, as you will be needing it later.
3. Set Up an Auth0 App
In the Auth0 Dashboard, create a new client and choose Single Page Web Application, as shown in the following screenshot.
Once you’ve created a client, head over to the Settings section of the dashboard and take note of your Domain, Client ID, and Client Secret as shown below.
Clone this sample app from Github, open up
auth0-variables.js, and add your Auth0 credentials like so:
var AUTH0_CLIENT_ID='xxxxxxxxxxx'; var AUTH0_DOMAIN='xxxxxxx.auth0.com'; var AUTH0_CALLBACK_URL=location.href;
4. Integrate ThisData
In the Auth0 dashboard, click on the Rules section in the main navigation, then click on the "Create Rule" button located at the top right of the page.
A list of available rule templates will be presented to you as shown in the diagram below. Choose the “Account Takeover Detection via ThisData” rule.
This rule is designed to detect phished or compromised user accounts. Even if the primary user authentication is approved, it will deny access to a user if the login appears to be highly suspicious. It relies on ThisData anomaly detection algorithms which take into account factors like:
- Time of the day
- Tor usage
- Location & Velocity
- Risky IP addresses
- Machine Learning
- ...and much more.
ThisData has a risk score that is attached to every login event. A higher risk score indicates a more significant anomaly was detected. If the risk is high, the user can still log in, but we can also send a notification to their email address to verify it was really them.
The "Account Takeover Prevention via ThisData" rule will block a login attempt if the risk is too high.
After clicking on the rule, the rule editor will show up. Here, you can see the code that integrates ThisData with your login process. It's nice and simple—it pushes some metadata to ThisData's API when your user logs in.
Get your ThisData API key and paste it in the Settings section, as shown in the following screenshot. The rule will have access to it as an environment variable.
5. Turn on Notifications
Turning on notifications is optional, but awesome! Notifications help your users take action when their account is attacked.
Head over to your ThisData account and browse to API Settings. In the sidebar, click User Notifications. Click the checkbox next to Send email to turn on end user notifications.
You can also upload your company logo here, or enable Slack notifications by clicking Integrations in the sidebar.
6. Run & Test Your App
Now let's run our sample Auth0 app and see how it all works.
On a mac you can run the app by typing
python -m SimpleHTTPServer 8000in the command line.
Open up your browser and run the app like so:
Log into your application, and then head over to the ThisData website. You will see the recorded login event with an associated risk score, as follows:
If there is irregular activity like a sudden change in device or location, accessing the website at an unusual time, using Tor, or other anomalies, then your user will receive an email like this:
And your Slack channel might look like this:
In the example above, the user was immediately notified of suspicious access to their account. They then responded by clicking "No it wasn't [me]" in the email. The initial alert and the response are also visible to your ops team in Slack.
You can configure ThisData to take automated action too—learn how by reading "Create a security workflow with Alert Webhooks" in ThisData's documentation.
It is super simple to integrate ThisData into your authentication process when building an app that uses Auth0. ThisData allows you to detect login anomalies to better protect your users and your app from cyber-criminals.
Cyber-attacks are on the rise, so taking these simple security precautions helps ensure that your users and apps are safe. Make your applications more secure today with ThisData and Auth0!