Auth0 can detect attacks and stop malicious attempts to access your application such as blocking traffic from certain IPs, displaying CAPTCHA, or triggering multi-factor authentication (MFA).
Auth0 attack protection provides the following options to mitigate attacks:
When it comes to combatting abuse, there is no silver bullet. Auth0 supports the principle of layered protection in security that uses a variety of signals to detect and mitigate attacks.
|Feature||Risk Signal||How it works|
|Brute-force Protection||Velocity of login attempts from an IP for a particular account.||Detects when a bad actor tries to login to an account too many times within a period of time.|
|Suspicious IP Throttling||Velocity of login attempts from an IP for any number of accounts against a tenant.||Detects when a bot/script tries too many username/password combinations within a short period of time.|
|Breached Password Detection||Use of a breached password that appears in lists of breached passwords on the dark web.||Stops users from using passwords that are known to be breached in some 3P sites.|
|Adaptive MFA||Behavioral patterns to determine when a login deviates from known patterns for a particular account.||Triggers MFA only for users who sign in using a behavioral context that indicates the login is risky.|
|Bot Detection||IP reputation computed by analyzing the quality of traffic seen for each IP.||Triggers a CAPTCHA step when a login attempt comes from an IP suspected of use by a bot.|
Attack detection, notification, and reporting
In the event of an attack, users will be notified by email once per hour regardless of the number of logins. For example, if a user tries to log in 200 times in 1 hour and 30 minutes, we will send 2 emails. Password reset links are valid for 5 days. You can customize the emails sent to your users.
In the event of an ongoing attack, traffic can be blocked from thousands of IP addresses at a time. Auth0 will send a single email to each administrator every hour that traffic is blocked, regardless of the number of IPs involved in the attack.