Bot Detection
Before you start
To use one of the supported third-party CAPTCHA provider integrations, you need the provider’s configuration details. To learn more, read Configure third-party CAPTCHA provider integrations.
Bot Detection mitigates scripted attacks by detecting when a request is likely coming from a bot. These types of attacks are sometimes called credential stuffing attacks or list validation attacks. Bot Detection provides support against certain attacks and adds very little friction to legitimate users. Auth Challenge is our default bot detection response, which provides a CAPTCHA-free user verification.
To learn more, read Credential Stuffing Attacks: What Are They and How to Combat Them.
Auth0 uses a large amount of data and statistical models to identify patterns that signal when bursts of login, signup, or password reset traffic are likely from a bot or script. Users who attempt to log in, create accounts, or reset passwords from IP addresses that have a high likelihood of being part of a credential stuffing attack are required to complete an additional verification step. The triggers detect traffic relating to these attacks without adding unnecessary friction to legitimate users.
Configure Bot Detection
Auth0 enables Bot Detection by default for all connections.
If you do not configure Response settings with Bot Detection enabled, Bot Detection operates in Monitoring mode. Monitoring mode records related events (with risk assessment information) in your tenant log for you to review. To learn more, read View Attack Protection Log Events.
You can enable tenant logs for Risk Assessment in the Auth0 Dashboard.
Go to Dashboard > Security > Attack Protection and select Bot Detection.
In the Detection section, enable the toggle.
In the Response section, choose a bot detection response.
When using Auth Challenge, the Fail open toggle is disabled by default.
Select when you want to require CAPTCHA for password flows, passwordless flows, and password reset flows.
Never: Never require your users to complete a CAPTCHA to log in.
When Risky: Only require your users to complete a CAPTCHA if the login matches your Bot Detection Level setting.
Always: Always require your users to complete a CAPTCHA to log in.
If you choose When Risky or Always, the CAPTCHA Providers field will appear in the Response section. Select Auth Challenge (provided by Auth0), Simple CAPTCHA (provided by Auth0), or one of the supported third-party provider integrations (requires external setup and registration).
If you choose Auth Challenge or Simple CAPTCHA, you are done. If your login experience does not support JavaScript, you must select Simple CAPTCHA.
If you choose one of our third-party provider integrations, enter the provider’s configuration details. To learn more, read Configure third-party CAPTCHA provider integrations.
If you choose When Risky, the Bot Detection Level field will appear in the Response section. Select the security level that best fits your use case. For more information, read Configure Bot Detection Level.
Select Save.
Configure Bot Detection Level
Configure the Bot Detection Level setting to match your risk tolerance and business needs.
There are three settings to choose from:
Low: Triggers CAPTCHA when there is a high chance of bot activity, providing a relatively frictionless experience for real users.
Medium: Default. Triggers CAPTCHA when there is a moderate chance of bot activity, providing a balance of security and experience for real users.
High: Triggers CAPTCHA when there is a small chance of bot activity, providing more security but potentially more friction for real users.
Allow trusted IP addresses to bypass Bot Detection
You can allow up to 100 discrete IP addresses and/or CIDR ranges (IPv4 or IPv6) to bypass Bot Detection by adding them to the IP AllowList field. Auth0 does not enforce blocking and does not send alerts for IP addresses or CIDR ranges on this list.
Go to Dashboard > Security > Attack Protection, and select Bot Detection.
In the IP AllowList field, enter the IP addresses and/or CIDR ranges you want to bypass Bot Detection. Separate multiple addresses or ranges with commas.
Configure signup detection model for Custom Login Page and Classic Login Experience
Auth0 provides a signup detection machine-learning model, distinct from the login model, that addresses different attack types by analyzing unique signals.
This model allows CAPTCHA to behave differently between signup and login flows to provide stronger protection against signup attacks and align with the latest security advancements.
You can configure the detection model that Bot Detection uses for signup flows when using a Custom Login Page or the Classic Login Experience in the Auth0 Dashboard.
Go to Dashboard > Security > Attack Protection, and select Bot Detection.
Locate the Detection Models section.
Enable the toggle for Signup detection models for custom and classic login pages.
Restrictions and limitations
Flow limitations
Bot Detection works for web and mobile applications that use Auth0 Universal Login. For applications that do not use Universal Login, levels of support are limited, in particular for flows that cannot support a CAPTCHA or reCAPTCHA challenge.
Ensure all of your login experiences are supported before you enable Bot Detection, or you may introduce errors into your application.
Flow | Limitation |
---|---|
Universal Login | Supported by default. |
Classic Login (no customizations) | Supported by default. |
Classic Login (Custom Login Page using Lock template) | Supported if using lock.js SDK version 12.4.0 or higher. |
Classic Login (Custom Login Page using Custom Login Form template) | Supported if using auth0.js SDK version 9.24 or higher, and you enhance your code to handle a CAPTCHA or reCAPTCHA challenge. |
Native applications | Supported if using one of the following SDKs:
|
Regular Web or Native applications using Resource Owner Password Flow | Supported in a limited capacity. Bot Detection Response such as CAPTCHA requires an interactive flow and therefore is not supported. If the requires_verification error is returned by the SDK, you must trigger a web-based login flow for the user to complete authentication. |
Flows not hosted by Auth0 using lock.js or auth0.js SDK which perform cross-origin authentication (co/authenticate endpoint) |
Not supported. |
Connection type limitations
Depending on the types of connections you use, Bot Detection has the following limitations.
Connection Type | Limitation |
---|---|
Database | Supported if the login uses a compatible login flow as described in the Flow limitations table. |
Custom database | Supported if the login uses a compatible login flow as described in the Flow limitations table. |
Active Directory/LDAP | Supported if the login uses a compatible login flow as described in the Flow limitations table. |
Enterprise | Not supported. |
Social Login | Not supported. |
Passwordless | Supported if the login uses a compatible login flow as described in the Flow limitations table. |
Custom login page support
If you build a custom login page using Auth0.js, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk.
Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read Add Bot Detection to Custom Login Pages.
Native application support
If you build native applications using an Auth0 SDK for the login flow, you can enable Bot Detection to render a CAPTCHA step in scenarios when a login request is determined by Auth0 to be high-risk.
Your custom login form code must handle scenarios where the user is asked to pass a CAPTCHA step. To learn more, read Add Bot Detection to Native Applications.