Bot Detection

Credential stuffing attacks (also known as list validation attacks) occur when bad actors automate the process of trying username and password combinations (usually stolen from another site) for many accounts in a short period of time. According to recent statistics, as many as 71% of accounts use the same password across multiple sites, so a credential stuffing attack has the potential to successfully log in to your system.

Use Bot Detection to provide a standard level of protection against credential stuffing attacks with minimal friction for legitimate users. This protection is enabled by default for all connections.

Download this free whitepaper to learn how Auth0 can help you combat credential stuffing attacks.

Auth0 uses a large amount of data and statistical models to identify patterns that signal when bursts of traffic are likely to be from a bot or script. Users who attempt to sign in or create accounts from IPs that are determined to have a high likelihood of being part of a credential stuffing attack will see a CAPTCHA step. The triggers are designed so that this only happens for bad traffic; the objective is to not show any friction to legitimate users.

Attack Protection - CAPTCHA Login Screen Example

Before you enable Bot Detection, make sure your flows are supported by the feature. For details, see Restrictions and limitations below.

Go to Dashboard > Security > Attack Protection.
Select Bot Detection.
Locate the switch at the top of the page and toggle it.

If you cannot see the toggle to enable this feature, you may need to upgrade your plan.

Bot protection works for web and mobile apps that use Auth0's Universal Login. For experiences that do not use Auth0’s Universal Login, levels of support are limited, in particular for flows that cannot support a CAPTCHA challenge. Please ensure all of your login experiences are supported before turning on this feature, or you may introduce errors into your application.

Connection Type	Limitation
Database connections Custom database connections Active Directory/LDAP connections	Supported if the login uses a compatible login flow as described in the table below.
Enterprise connections Social Login Passwordless connection	Not supported.

Flow	Limitation
New Universal Login	Supported by default.
Classic Universal Login (no customizations)	Supported by default.
Classic Universal Login (custom login page using Lock template `lock.js` widget)	Supported if using Lock version 11.26 or greater of Auth0’s Lock widget. Work with Auth0 Support to enable this feature.
Classic Universal Login (custom login page using Custom Login Form template `lock.js` widget)	Supported if using `auth0.js` version 9.14 or greater to build custom login pages only if you enhance your code to handle a CAPTCHA challenge. Work with your TAM to enable this feature.
Classic Universal Login (custom login page using Passwordless template)	Not supported.
Web or native apps using Resource Owner Password Flow (including those using `lock.android` and `lock.swift` SDKs)	Not supported.
Native apps using newest version of SDKs	Supported. The SDKs handle a risky login by invoking the Universal Login flow.
Flows not hosted by Auth0 using `lock.js`, `auth0.js` which perform cross-origin authentication (`co/authenticate` endpoint)	Not supported.

If you build a custom login page using auth0.js, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk. Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step.

If you build native applications using an Auth0 SDK for the login flow, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk. Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step.

Docs

Bot Detection

Bot Detection

How it works

Enable or disable Bot Detection

Restrictions and limitations

Native application support

Keep reading

Was this article helpful?

Bot Detection

Configuration

Bot Detection

How it works

Enable or disable Bot Detection

Restrictions and limitations

Custom login page support

Native application support

Keep reading

Was this article helpful?