Learn about anomaly detection and how you can shield your app from suspicious login activity.
Anomaly detection is the identification of items in a dataset that do not resemble the majority of the data, also known as outliers. It’s important to be mindful of anomalies in web security because they alert us to potentially malicious activity. In order to avoid jeopardizing an application and its users, action should be taken when anomalies are detected in login behavior.
Have you ever received an email asking “was this you?” after logging into a website on a new computer or mobile phone? This is the result of anomaly detection. The site detects a device you’ve never logged in from before and requests verification from you to ensure that someone else isn’t using your credentials maliciously.
There are a number of different login behaviors that could be considered suspicious. Some are higher risk than others. For example, a user logging in at an unusual time of day is a low-risk anomaly. A more threatening anomaly would be dozens of failed login attempts in a very short time. This is called a brute force attack: the attacker systematically attempts different passwords to gain access to an account, often using automated software.
Other potentially suspicious behaviors include logging in from an unrecognized device, accessing from an unusual location, using Tor network, and various other login activities that emerge as outliers from normal usage.
Applications can also be jeopardized by third party security breaches such as mass password leaks. Breached password detection notifies users when their credentials are leaked by a data breach of a third party. Users should always reset their passwords if their credentials may be compromised.
Auth0 provides easy-to-use anomaly detection shields. Preconfigured shields can be enabled to notify the application owner or affected user when specific anomalies are detected. They can then automatically block suspicious activity or compromised logins.
Shields are configurations of actions that should be performed when particular anomalies (triggers) are detected. Auth0 offers three shields: Brute Force Protection, 2nd Level Brute Force Protection, and Breached Password Detection.
For example, the Brute Force Protection shield is triggered by ten failed login attempts into a single account from the same IP address. The actions that are taken in response to this trigger are:
You can learn more about the shields in the Anomaly Detection documentation. Each shield can be enabled or disabled through a one-click process in your Auth0 Dashboard.
Detecting unusual or alarming login behavior is vital when protecting your users. If you want to try the benefits of easy, customizable anomaly detection, sign up for Auth0’s free, production-ready plan to get started.