Problem statement
I have enabled the Bot detection logs in our tenant, and we are using reCaptcha Enterprise and enabled the checkbox challenge in our GCP.
I see the logs below, and I cannot interpret/correlate this to how google score works. This is asked by the product to understand when the user only sees the checkbox or when the risk becomes higher to show the captcha tiles. How does Auth0 determine this and send the assessment to Google?
{
"date": "2023-05-12T12:03:13.993Z",
"type": "pla",
"description": "Pre-login risk assessment",
"connection_id": "",
"client_id": "redacted",
"client_name": "acmeapp",
"ip": "redacted",
"user_agent": "Chrome 113.0.0 / Mac OS X 10.15.7",
"details": {
"ipOnAllowlist": false,
"requiresVerification": false,
"session_id": "7W..redacted"
},
"hostname": "redacted",
"user_id": "",
"user_name": "",
"log_id": "90020230512120314533532000000000000001223372043103668373",
"_id": "90020230512120314533532000000000000001223372043103668373",
"isMobile": false,
"id": "90020230512120314533532000000000000001223372043103668373"
}
Solution
Google reCAPTCHA has a two-stage risk assessment. Our bot detection decides if we should show reCAPTCHA at all, then reCAPTCHA assesses how difficult a challenge to present once we render it. For the second part, Auht0 doesn’t have control over when Google shows the checkbox or captcha tiles.