How to reduce Bot Detection Aggressive level?

shan · August 20, 2021, 6:17pm

Hi, enterprise user here

It seems that the bot detection is VERY aggressive, user gets blocked (& shown Captcha) after just 3 tries using wrong email.
Is there a way to tweak that number similar to that from Brute Force setting?

This is a huge problem on our React Native mobile app where we couldn’t implement the Captcha due to expo framework restrictions.
users basically gets stuck at login after just 3 failed tries & the error message being returned is just a 404 error & not comprehensive at all, how can we work around this without turning off Bot Detection?

dan.woda · August 20, 2021, 10:00pm

Hi @shan,

Welcome to the Auth0 Community!

There isn’t a setting for bot detection like the one that exists for brute-force. This doc lays out all of the options.

You can create a Feature Request for this if you’d like. I will pass this along to the team who works on the feature.

Thanks,
Dan

shan · August 23, 2021, 1:58pm

Hi Dan, thanks for the reply!

I’ve got a few more questions regarding the error messages coming from blocked requests.

what error code/message is returned if user is blocked by bot-detection?
how long will the user/device locked for if no more login attempts were made?
how to unlock the account without the CAPTCHA?

dan.woda · August 23, 2021, 9:04pm

Hi @shan,

It looks like they would receive one of the following errors depending on the scenario:


too_many_attempts	The account is blocked due to too many attempts to sign in
unauthorized	The user you are attempting to sign in with is blocked

I am seeing this in the UI

Screen Shot 2021-08-23 at 2.01.45 PM

You will need to unblock the user if they are blocked.

I’m not sure what you mean by this. Can you elaborate?

shan · August 23, 2021, 9:34pm

Thank you for the prompt reply Dan!

So the error you are describing is from Brute Force attack = user fails to provide correct password using same account, our problem is for Bot Detection = user (or bot) tries to login using different accounts. They don’t return the same errors.

If user is blocked due to bot detection, we can’t unblock from the User Management page, we can’t unblock via white-listing their IP. The ONLY ways is to either disable bot-detection all together OR if the user solves a CAPTCHA.

However, as I mentioned previously, we can’t implement CAPTCHA due to technical limitations with our mobile app being managed by Expo

Qs:

Is there any other way to unblock a user that’s blocked by Bot Detection AI?
Can a user be permanently blocked by bot-detection if he/she tries too many times (e.g. during testing or development)?

dan.woda · August 26, 2021, 8:52pm

Hi Shan,

The user needs to complete the captcha to resume authentication.

It sounds like, due to your application’s strict requirements, bot detection isn’t going to work for your application.

system · October 13, 2021, 6:41pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.