Attacks on an identity infrastructure using stolen credentials are a difficult problem to solve. Credential stuffing attacks occur when a bad actor sends scripted, automated login attempts to an application or website in extremely high volumes, with the objective of gaining access to user accounts. This is an increasingly common problem: on any given day, up to 69% of login attempts on the Auth0 infrastructure are suspected to have originated from credential stuffing attacks.
This type of attack can be quite sophisticated. Sometimes they come in the form of hundreds of thousands of login requests to a site in a short time window, at a very high velocity, and from a relatively small number of IP addresses from unusual locations. They can also come in the form of scripts that send traffic using tactics to dynamically evolve their velocity, location, and number of IP addresses to avoid detection.
Generally, solving this problem involves a tradeoff between usability and security, in which user experience pays the price. Measures like multi-factor authentication (MFA) are effective in limiting the success rates for a script involved in a credential stuffing attack, but they also add friction for legitimate users.
To tip the scale in favor of user experience, malicious bots and scripts need to be detected and rejected before a login call is even processed by the authentication server. Doing so enables you to limit the impact of credential stuffing attacks while delivering a better experience for the end user.
Bot Detection from Auth0
Auth0 is launching Bot Detection, the first in a series of features to detect credential stuffing attacks on the login flow. Once enabled, this feature will use a variety of signals to assess the likelihood that a login call originates from a scripted attack. If the risk assessment is high, a CAPTCHA step is inserted into the login flow.
Bot Detection will be supported at launch with Auth0’s Universal Login experience. For customers who have built more customized user experiences using native SDKs such as
lock.js and mobile SDKs such as a
lock.swift, Auth0 will support an exception scenario so that customers can recognize a risky call and take steps to render a CAPTCHA step on the screen. The feature will also support presenting CAPTCHA using a generic flow or a customer’s own Google reCAPTCHA.
Mitigating Abuse with Auth0
Bot Detection will be the latest addition to Auth0’s collection of features designed to prevent abuse, including Breached Password Detection, Brute Force Protection, and MFA. These features help customers mitigate the tradeoffs between security and usability without unnecessary compromises to user experience.
- Credential Stuffing Attacks: What They Are and How to Combat Them
- The Anatomy of a Credential Stuffing Attack
Auth0 is the first identity management platform for application builders, and the only identity solution needed for custom-built applications. With a mission to secure the world’s identities so innovators can innovate, Auth0 provides the simplicity, extensibility, and expertise to scale and protect identities in any application, for any audience. Auth0 secures more than 100 million logins each day, giving enterprises the confidence to deliver trusted and elegant digital experiences to their customers around the world.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.