Bot Detection

Before you start

To use one of the supported third-party CAPTCHA provider integrations, you need the provider’s configuration details. To learn more, read Configure third-party CAPTCHA provider integrations.

Bot Detection mitigates scripted attacks by detecting when a request is likely coming from a bot. These types of attacks are sometimes called credential stuffing attacks or list validation attacks. Bot Detection provides support against certain attacks and adds very little friction to legitimate users. Auth Challenge is our default bot detection service, which provides a CAPTCHA-free user verification.

To learn more, read Credential Stuffing Attacks: What Are They and How to Combat Them.

Auth0 uses a large amount of data and statistical models to identify patterns that signal when bursts of login or signup traffic are likely from a bot or script. Users who attempt to log in or create accounts from IP addresses that have a high likelihood of being part of a credential stuffing attack see a CAPTCHA step. The triggers detect traffic relating to these attacks without adding unnecessary friction to legitimate users.

The login page with a success screen

Configure Bot Detection

Auth0 enables Bot Detection by default for all connections.

If you do not configure Response settings with Bot Detection enabled, Bot Detection operates in Monitoring mode. Monitoring mode records related events (with risk assessment information) in your tenant log for you to review. To learn more, read View Attack Protection Log Events.

You can configure Bot Detection in the Auth0 Dashboard.

  1. Go to Dashboard > Security > Attack Protection and select Bot Detection.

  2. In the Detection section, enable the toggle.

    Detection section of the Attack protection screen

  3. In the Response section, choose your bot detection service.

    Dashboard - Attack Protection - Bot Detection

    When using Auth Challenge, the Fail open toggle is disabled by default.

  4. Select if or when you want to require CAPTCHA (for password and passwordless flows independently).

    Bot detection CAPTCHA flows image

    • Never: Never require your users to complete a CAPTCHA to log in.

    • When Risky: Only require your users to complete a CAPTCHA if the login matches your Bot Detection Level setting.

    • Always: Always require your users to complete a CAPTCHA to log in.

  5. If you choose When Risky or Always, the CAPTCHA Providers field will appear in the Response section. Select Simple CAPTCHA (provided by Auth0) or one of the supported third-party provider integrations (requires external setup and registration).

    • If you choose Simple CAPTCHA, you are done. If your login experience does not support JavaScript, you must select this option.

    • If you choose one of our third-party provider integrations, enter the provider’s configuration details. To learn more, read Configure third-party CAPTCHA provider integrations.

  6. If you choose When Risky, the Bot Detection Level field will appear in the Response section. Select the security level that best fits your use case. For more information, read Configure Bot Detection Level.

  7. Select Save.

Configure Bot Detection Level

Configure the Bot Detection Level setting to match your risk tolerance and business needs.

There are three settings to choose from:

  1. Low: Triggers CAPTCHA when there is a high chance of bot activity, providing a relatively frictionless experience for real users.

  2. Medium: Default. Triggers CAPTCHA when there is a moderate chance of bot activity, providing a balance of security and experience for real users.

  3. High: Triggers CAPTCHA when there is a small chance of bot activity, providing more security but potentially more friction for real users.

Auth0 Dashboard > Security > Attack Protection to access this slider

Allow trusted IP addresses to bypass Bot Detection

You can allow up to 100 discrete IP addresses and/or CIDR ranges (IPv4 or IPv6) to bypass Bot Detection by adding them to the IP AllowList field. Auth0 does not enforce blocking and does not send alerts for IP addresses or CIDR ranges on this list.

  1. Go to Dashboard > Security > Attack Protection, and select Bot Detection.

  2. In the IP AllowList field, enter the IP addresses and/or CIDR ranges you want to bypass Bot Detection. Separate multiple addresses or ranges with commas.

Restrictions and limitations

Flow limitations

Bot Detection works for web and mobile applications that use Auth0 Universal Login. For applications that do not use Universal Login, levels of support are limited, in particular for flows that cannot support a CAPTCHA or reCAPTCHA challenge.

Ensure all of your login experiences are supported before you enable Bot Detection, or you may introduce errors into your application.

Flow Limitation
New Universal Login Supported by default.
Classic Universal Login (no customizations) Supported by default.
Classic Universal Login (Custom Login Page using Lock template) Supported if using lock.js SDK version 12.4.0 or higher.
Classic Universal Login (Custom Login Page using Custom Login Form template) Supported if using auth0.js SDK version 9.24 or higher, and you enhance your code to handle a CAPTCHA or reCAPTCHA challenge.
Regular Web or Native applications using Resource Owner Password Flow (including those using lock.android and lock.swift SDKs) Not supported.
Native applications using newest version of SDKs Supported. The SDKs handle a risky login by invoking the Universal Login flow.
Flows not hosted by Auth0 using lock.js or auth0.js SDK which perform cross-origin authentication (co/authenticate endpoint) Not supported.

Connection type limitations

Depending on the types of connections you use, Bot Detection has the following limitations.

Connection Type Limitation
Database Supported if the login uses a compatible login flow as described in the Flow limitations table.
Custom database Supported if the login uses a compatible login flow as described in the Flow limitations table.
Active Directory/LDAP Supported if the login uses a compatible login flow as described in the Flow limitations table.
Enterprise Not supported.
Social Login Not supported.
Passwordless Supported if the login uses a compatible login flow as described in the Flow limitations table.

Custom login page support

If you build a custom login page using Auth0.js, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk.

Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read Add Bot Detection to Custom Login Pages.

Native application support

If you build native applications using an Auth0 SDK for the login flow, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk.

Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read Add Bot Detection to Native Applications.

Learn more