Subscribe to more awesome content!

Protect Your Users with Anomaly Detection

Learn about anomaly detection and how you can shield your app from suspicious login activity.

Try Auth0 For Free

What is Anomaly Detection?

Anomaly detection is the identification of items in a dataset that do not resemble the majority of the data, also known as outliers. It’s important to be mindful of anomalies in web security because they alert us to potentially malicious activity. In order to avoid jeopardizing an application and its users, action should be taken when anomalies are detected in login behavior.

Have you ever received an email asking “was this you?” after logging into a website on a new computer or mobile phone? This is the result of anomaly detection. The site detects a device you’ve never logged in from before and requests verification from you to ensure that someone else isn’t using your credentials maliciously.

Identifying Suspicious Activity

There are a number of different login behaviors that could be considered suspicious. Some are higher risk than others. For example, a user logging in at an unusual time of day is a low-risk anomaly. A more threatening anomaly would be dozens of failed login attempts in a very short time. This is called a brute force attack: the attacker systematically attempts different passwords to gain access to an account, often using automated software.

Other potentially suspicious behaviors include logging in from an unrecognized device, accessing from an unusual location, using Tor network, and various other login activities that emerge as outliers from normal usage.

Applications can also be jeopardized by third party security breaches such as mass password leaks. Breached password detection notifies users when their credentials are leaked by a data breach of a third party. Users should always reset their passwords if their credentials may be compromised.

Implementing Anomaly Detection with Auth0

Auth0 provides easy-to-use anomaly detection shields. Preconfigured shields can be enabled to notify the application owner or affected user when specific anomalies are detected. They can then automatically block suspicious activity or compromised logins.

Auth0 also supports writing custom rules that allow actions to be taken when a user logs into your application. This is a powerful feature that supports additional anomaly detection handling. Rules can integrate with ThisData to assess security risk when anomalies are identified.

Anomaly Detection with Shields

Shields are configurations of actions that should be performed when particular anomalies (triggers) are detected. Auth0 offers three shields: Brute Force Protection, 2nd Level Brute Force Protection, and Breached Password Detection.

For example, the Brute Force Protection shield is triggered by ten failed login attempts into a single account from the same IP address. The actions that are taken in response to this trigger are:

  • Send an email to the affected user
  • Block the suspicious IP address

You can learn more about the shields in the Anomaly Detection documentation. Each shield can be enabled or disabled through a one-click process in your Auth0 Dashboard.
anomaly detection

Anomaly Detection with Rules and ThisData

Rules are custom pieces of code that run whenever a user logs into your application. They are executed when a visitor authenticates but before the user is sent back into your application. Rules can enable a lot of additional functionality in your app, including customized anomaly detection.

ThisData is a third party service that integrates with Auth0 authentication via rules and returns a risk score with each login based on anomaly detection. You can write a rule that will assess the risk score and if it’s above a certain threshold, block the login attempt, send “Was This You?” emails, and more.

In order to take advantage of this, you will need to sign up for free with ThisData and acquire an API key. Once you have your key, you can create a new rule in your Auth0 dashboard. In the Access Control section, choose the template for Login Anomaly Detection via ThisData.

The rule template looks like this:

function (user, context, callback) {
  // Get this from your ThisData account
  var apiKey = configuration.THISDATA_API_KEY;

  // 0.85 will generally block irregular Tor usage
  // or sudden changes in location and device
  var riskLimit = 0.85;

  var options = {
      method: 'POST',
      headers: {
      'User-Agent': 'thisdata-auth0'
    uri: '' + apiKey,
    json: {
      ip: context.request.ip,
      user_agent: context.request.userAgent,
      user: {
        id: user.user_id,
  };, function(e, r, b){
    if(e || r.statusCode !== 200){
      // If anything fails dont block the login
      callback(null, user, context);
    } else {
      // If the risk is high then block the login
      if(b.score >= riskLimit){
        return callback(new UnauthorizedError('Login anomaly detected by   ThisData. Risk: ' + b.score));
      callback(null, user, context);

Replace THISDATA_API_KEY with your own key and adjust the riskLimit variable to your preferred threshold. It is 0.85 by default. The rule takes the user’s login data and sends it to ThisData’s API. ThisData then analyzes the login and returns a risk score. The rule compares the score to the risk limit and if the login is high risk, the user will not be authorized to access your application. You can customize anomaly detection rules to perform other actions as well, such as emailing the compromised user a “Was This You?” notification.

Protect Your Users with Auth0

Detecting unusual or alarming login behavior is vital when protecting your users. If you want to try the benefits of easy, customizable anomaly detection, sign up for Auth0’s free, production-ready plan to get started.