Auth0 Bot Detection: A security feature that reduces the effectiveness of a credential stuffing attack

Auth0 launched Bot Detection, a new security feature that reduces the effectiveness of a credential stuffing attack by as much as 85%, with minimal impact on user experience.

Bot Detection is a powerful addition to the company’s expanding security portfolio, and works in tandem with Auth0 Breached Password Detection, Brute Force Protection, and Multi-factor Authentication, to provide extensive mitigation against a variety of sophisticated threats, including automated attacks, account takeovers, phishing attacks, and more.

Credential stuffing attacks often rely on stolen account credentials (username and password) from a previous data breach, and are used to gain unauthorized access to user accounts on another website. This is executed via large-scale bot-driven attacks against the login flow and is an increasingly pervasive problem for enterprises.

Ongoing Auth0 customer analysis revealed the following:

  • Auth0 sees an average of 175,000 unique IP addresses that are deemed suspicious on a daily basis.
  • Threat actors can use as many as 65,000 IP addresses for a single attack.
  • During an attack, credential stuffing can account for as much as 65% of the traffic to Auth0’s authentication service.
  • During a credential stuffing attack, traffic for a particular website may surge as much as 180x the usual volume, with traffic related to the attack itself accounting for 90% of overall activity.

Bot Detection correlates numerous data sources to identify and mitigate bot-driven attacks before login, and relies on a collection of risk signals and assessors that identify indicators of suspicious activity.

This layered approach — also known as defense in depth — consists of multiple security capabilities, including Bot Detection, that effectively reduce the number of credential stuffing attempts and many other attacks.

At a high level, Bot Detection monitors IP addresses for non-suspicious events, such as successful logins; suspicious events, such as numerous failed login attempts across multiple accounts; and IP reputation data, which is used to identify known threat actors.

When suspicious traffic is detected, a CAPTCHA step is required to complete a login request — the system is designed to mitigate the majority of bot attacks targeting the login or registration flow. At launch, Auth0 will support customers using its Universal Login capabilities, with additional support for other experiences in the coming months.

Automated attacks are growing more sophisticated each day, and these large-scale bots are designed to respond to any and all controls to evade detection. Auth0 found that threat actors can, and do, change their attack strategies in as little as five minutes to bypass a security control.

More than 80% of companies state it is difficult to detect, fix, or remediate credential stuffing attacks, which result in an average of more than $6 million a year in costs per company and can cause a significant impact on IT resources, account takeovers, and brand reputation.

“We’ve seen an increase in the volume and sophistication of bot attacks over the last few years, and companies are investing more in their defenses,” said Matias Woloski, CTO and cofounder at Auth0.

“Being at the front door of applications with a service that secures more than 4.5 billion login transactions per month, we have a unique vantage point for quickly identifying and blocking suspicious activity before any damage is done. This is what makes Bot Detection very effective at preventing account takeover and reducing the load on DevOps and SecOps teams.”

Share this