Bot Detection and Synthetic tests

Problem Statement

We use Datadog monitoring, browser synthetics, and some end-to-end test suites. These are all blocked because they can’t pass through Captcha once set on the prod account. We have been hit by multiple security threats that could have been easily avoided if our synthetics and tests had been running effectively. We would like a way to have an IP allow list so that our bot synthetic testing program can run without being made subject to Captcha challenges.

Solution

Our engineering team has a backlog task for this - “Support IP AllowList for Bot Detection”. Unfortunately, there is no ETA for it yet, and we don’t have a workaround to bypass the Captcha challenge.

You may still be able to run the tests if the Bot Detection option is set to “When Risky”. The “When Risky” option only requires users to complete a CAPTCHA if the login appears to be high risky. Bot Detection Risk is associated with the quality of IP traffic. In general, Auth0 will improve an IP’s reputation if we see traffic that is not typical of bots. For example, having multiple successful login transactions for multiple different users from the same IP is a good sign of non-bot traffic. On the contrary, if Auth0 sees many failed logins from the same IP or even login attempts with breached password credentials, these would lower the IP’s reputation.