Credential stuffing attacks (also known as list validation attacks) occur when bad actors automate the process of trying username and password combinations (usually stolen from another site) for many accounts in a short period of time. According to recent statistics, as many as 71% of accounts use the same password across multiple sites so a credential stuffing attack has the potential to successfully log into your system.
Use Bot Detection to provide a standard level of protection against credential stuffing attacks with minimal friction for legitimate users. This protection is enabled by default for all connections.
Download this free whitepaper to learn how Auth0 can help you combat credential stuffing attacks.
How it works
Auth0 uses a large amount of data to identify patterns that signal that a credential stuffing attack is taking place. Auth0 uses data statistical models to determine when bursts of traffic are likely to be from a bot or script. Users who attempt to sign in or to create accounts from IPs that are determined to have a high likelihood of being a credential stuffing attack will see a CAPTCHA step. The triggers are designed so that this only happens for bad traffic; the objective is to not show any friction to legitimate users. This block remains in place until the user changes their password.
Restrictions and limitations
Bot Detection works for web and mobile apps that use Auth0's Universal Login. This feature is not supported in the sign-up or account recovery flows. This protection works on most authentication flows but not all.
|New Universal Login||Works automatically (if enabled which is the default).|
|Classic Universal Login (Lock)||Works with Lock v11.20 or higher.|
|Classic Universal Login (auth0.js)||Currently unsupported.|
||Returns an error message "Suspicious request requires validation" when an error code
|Embedded Login||Does not work in this case.|