Allow Bot Detection configuration at application level

Feedback
1

Feature: Allow Bot Detection configuration on the application level, not just the tenant.

Description: The current settings for most (all?) Attack Protection are only available at the tenant level. In many cases, this makes sense. However, enabling Bot Detection and specifically the Captcha settings at the application level would

  • increase ability for teams to coordinate rollout of that feature more quickly for web applications while allowing for the app store-related delays required for most mobile apps
  • allow different settings based on the product team’s assessment of risk per application, e.g. separated by sensitivity of data
  • allow mobile applications to disable captcha as many users end up going through the same VPN-style IPs and thus always being considered a “Risky” login (see Google One and iCloud Private Relay)

Use-case: In our case, our mobile applications had a flaw that prevented them from working when captcha was triggered. This prevented our enabling Captcha for our web application, even though a quick test had shown the protection significantly decreased the volume of brute force attack attempts.

2

Hey there @mike.a welcome to the community and appreciate the feedback :smile: Our product team monitors these for community engagement so let’s hope it gets some upvotes from other members!

1 Like
3

+1 from me :slight_smile:

Another feature that would help is if we could control the bot detection level on a per-application basis. Our app has a native login flow, but has to fall back to web auth if the user is deemed to be suspicious by Auth0. It’s not a great user experience, because it’s a bit confusing and the user has to enter their credentials twice, so it would be great if we could dial down the bot detection level just for the mobile app.