The Problem
Attacks on an identity infrastructure using stolen credentials are a difficult problem to solve. Credential stuffing attacks occur when a bad actor sends scripted, automated login attempts to an application or website in extremely high volumes, with the objective of gaining access to user accounts. This is an increasingly common problem: on any given day, up to 69% of login attempts on the Auth0 infrastructure are suspected to have originated from credential stuffing attacks.
This type of attack can be quite sophisticated. Sometimes they come in the form of hundreds of thousands of login requests to a site in a short time window, at a very high velocity, and from a relatively small number of IP addresses from unusual locations. They can also come in the form of scripts that send traffic using tactics to dynamically evolve their velocity, location, and number of IP addresses to avoid detection.
Generally, solving this problem involves a tradeoff between usability and security, in which user experience pays the price. Measures like multi-factor authentication (MFA) are effective in limiting the success rates for a script involved in a credential stuffing attack, but they also add friction for legitimate users.
To tip the scale in favor of user experience, malicious bots and scripts need to be detected and rejected before a login call is even processed by the authentication server. Doing so enables you to limit the impact of credential stuffing attacks while delivering a better experience for the end user.
Bot Detection from Auth0
Auth0 is launching Bot Detection, the first in a series of features to detect credential stuffing attacks on the login flow. Once enabled, this feature will use a variety of signals to assess the likelihood that a login call originates from a scripted attack. If the risk assessment is high, a CAPTCHA step is inserted into the login flow.
Bot Detection will be supported at launch with Auth0’s Universal Login experience. For customers who have built more customized user experiences using native SDKs such as
lock.js
and mobile SDKs such as a lock.Android
and lock.swift
, Auth0 will support an exception scenario so that customers can recognize a risky call and take steps to render a CAPTCHA step on the screen. The feature will also support presenting CAPTCHA using a generic flow or a customer’s own Google reCAPTCHA.Mitigating Abuse with Auth0
Bot Detection will be the latest addition to Auth0’s collection of features designed to prevent abuse, including Breached Password Detection, Brute Force Protection, and MFA. These features help customers mitigate the tradeoffs between security and usability without unnecessary compromises to user experience.
Learn More
- Credential Stuffing Attacks: What They Are and How to Combat Them
- The Anatomy of a Credential Stuffing Attack
Auth0 is the first identity management platform for application builders, and the only identity solution needed for custom-built applications. With a mission to secure the world’s identities so innovators can innovate, Auth0 provides the simplicity, extensibility, and expertise to scale and protect identities in any application, for any audience. Auth0 secures more than 100 million logins each day, giving enterprises the confidence to deliver trusted and elegant digital experiences to their customers around the world.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Antonio Fuentes
Product Manager, Continuous Auth