Bot Detection

Bot Detection mitigates scripted attacks by detecting when a request is likely coming from a bot. These types of attacks are sometimes called credential stuffing attacks or list validation attacks. Bot Detection provides support against certain attacks and adds very little friction to legitimate users. Auth Challenge is our default bot detection response, which provides a CAPTCHA-free user verification.

To learn more, read Credential Stuffing Attacks: What Are They and How to Combat Them.

Auth0 uses a large amount of data and statistical models to identify patterns that signal when bursts of login, signup, or password reset traffic are likely from a bot or script. Users who attempt to log in, create accounts, or reset passwords from IP addresses that have a high likelihood of being part of a credential stuffing attack are required to complete an additional verification step. The triggers detect traffic relating to these attacks without adding unnecessary friction to legitimate users.

Auth0 enables Bot Detection by default for all connections.

If you do not configure Response settings with Bot Detection enabled, Bot Detection operates in Monitoring mode. Monitoring mode records related events (with risk assessment information) in your tenant log for you to review. To learn more, read View Attack Protection Log Events.

You can enable tenant logs for Risk Assessment in the Auth0 Dashboard.

1. Go to Dashboard > Security > Attack Protection and select Bot Detection.

2. In the Detection section, enable the toggle.

   
   If you cannot see the toggle to enable tenant logs for Risk Assessment, you may need to upgrade your plan.

3. In the Response section, choose a bot detection response.

   

   When using Auth Challenge, the Fail open toggle is disabled by default.

   Auth Challenge is the default bot detection response, offering a CAPTCHA-free web experience with stronger privacy and a better user experience.

   As noted on the dashboard, this login experience requires Javascript; if your login experience is required to work without Javascript, select Simple CAPTCHA.

4. Select when you want to require CAPTCHA for password flows, passwordless flows, and password reset flows.

   • Never: Never require your users to complete a CAPTCHA to log in.

   • When Risky: Only require your users to complete a CAPTCHA if the login matches your Bot Detection Level setting.

   • Always: Always require your users to complete a CAPTCHA to log in.

5. If you choose When Risky or Always, the CAPTCHA Providers field will appear in the Response section. Select Auth Challenge (provided by Auth0), Simple CAPTCHA (provided by Auth0), or one of the supported third-party provider integrations (requires external setup and registration).

   • If you choose Auth Challenge or Simple CAPTCHA, you are done. If your login experience does not support JavaScript, you must select Simple CAPTCHA.

   • If you choose one of our third-party provider integrations, enter the provider’s configuration details. To learn more, read Configure third-party CAPTCHA provider integrations.

   • If you choose Simple CAPTCHA, the CAPTCHA image is not legible to screen readers.

6. If you choose When Risky, the Bot Detection Level field will appear in the Response section. Select the security level that best fits your use case. For more information, read Configure Bot Detection Level.

7. Select Save.

Configure the Bot Detection Level setting to match your risk tolerance and business needs.

There are three settings to choose from:

1. Low: Triggers CAPTCHA when there is a high chance of bot activity, providing a relatively frictionless experience for real users.

2. Medium: Default. Triggers CAPTCHA when there is a moderate chance of bot activity, providing a balance of security and experience for real users.

3. High: Triggers CAPTCHA when there is a small chance of bot activity, providing more security but potentially more friction for real users.

You can allow up to 100 discrete IP addresses and/or CIDR ranges (IPv4 or IPv6) to bypass Bot Detection by adding them to the IP AllowList field. Auth0 does not enforce blocking and does not send alerts for IP addresses or CIDR ranges on this list.

1. Go to Dashboard > Security > Attack Protection, and select Bot Detection.

2. In the IP AllowList field, enter the IP addresses and/or CIDR ranges you want to bypass Bot Detection. Separate multiple addresses or ranges with commas.

Auth0 provides a signup detection machine-learning model, distinct from the login model, that addresses different attack types by analyzing unique signals.

This model allows CAPTCHA to behave differently between signup and login flows to provide stronger protection against signup attacks and align with the latest security advancements.

You can configure the detection model that Bot Detection uses for signup flows when using a Custom Login Page or the Classic Login Experience in the Auth0 Dashboard.

1. Go to Dashboard > Security > Attack Protection, and select Bot Detection.

2. Locate the Detection Models section.

3. Enable the toggle for Signup detection models for custom and classic login pages.

Bot Detection works for web and mobile applications that use Auth0 Universal Login. For applications that do not use Universal Login, levels of support are limited, in particular for flows that cannot support a CAPTCHA or reCAPTCHA challenge.

Ensure all of your login experiences are supported before you enable Bot Detection, or you may introduce errors into your application.

Depending on the types of connections you use, Bot Detection has the following limitations.

If you build a custom login page using Auth0.js, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk.

Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read Add Bot Detection to Custom Login Pages.

If you build native applications using an Auth0 SDK for the login flow, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk.

Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read Add Bot Detection to Native Applications.

• Configure Third-Party CAPTCHA Provider Integrations
• Add Bot Detection to Custom Login Pages
• Add Bot Detection to Native Applications
• Breached Password Detection
• Brute-Force Protection
• Suspicious IP Throttling