Avoid spam on account signups

Hi,

Are there any practices that i can put in place in order to avoid spam account signups on my app ?
What i can imagine :

  • block ip address if signup attempts is > X
  • block certain email domain
  • add captcha
  • ?

Thank you for your help

Regarding the first two points: the right place to put your logic would usually be a Pre-User-Registration Hook Pre-User Registration, however it should be noted that at the moment, the hooks do only return a generic error message only (“An error occured.”) upon failure (which your logic would trigger), thus it’s not possible to return a customized error message (at least not if using the standard Universal Login Page).
So you might need to use a custom UI with additional frontend validation as well.

Captcha is not supported (and not recommended) by Auth0 out of the box. See:

and this blog article (“Avoid CAPTCHAs”):

Hi @mathiasconradt
Thank you for your answer

Ok, so with Pre User Registration Hook, i would have to implement the logic/rules that i want
A default error message is fine for the moment

Yes, that is right, you would add your logic in the hook, example:

module.exports = function (user, context, cb) {
  var response = {};
  
  if (user.email === "santa@claus.co" ) {
    cb('Invalid Signup.', response)
  } else {
    response.user = user;
    cb(null, response);    
  }
};

however it should be noted that at the moment, the hooks do only return a generic error message only (“An error occured.”) upon failure (which your logic would trigger), thus it’s not possible to return a customized error message (at least not if using the standard Universal Login Page).

Update on this: customizing the hook error messages is now possible, see https://auth0.com/docs/hooks/extensibility-points/pre-user-registration#sample-script-customize-the-error-message-and-language-for-user-messages

2 Likes

I tried Google Recapcha but It doen’t work, is there any advice? thanks
@mathiasconradt thanks,

What exactly doesn’t work? How did you implement it, and any particular error message you’re getting?

By the way: since this original post is already >1,5 years old, note that ReCaptcha support is now available out of the box in Auth0, see https://auth0.com/docs/attack-protection/bot-detection

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.