Validate Captcha Enforcement due to Bot Detection with Risky Option Enabled

Knowledge Articles
, , ,
1

Overview

This article explains how to tell if Captcha was enforced during a login due to the Bot detection feature with the When Risky option enabled.

rtaImage (29).jpeg
rtaImage (29).jpeg2288×1526 158 KB

Solution

The following two logs can be used to understand if Captcha was displayed.

  1. When Captcha is forced, in the successful login logs with type s for users in Auth0 database connections, Auth0 generates a field named requiredCaptcha. The requiredCaptcha This field shows up only when the Captcha is forced. If it wasn’t forced, the attribute would be missing.

    Sample tenant log:

{
  "client_id": "redacted",
  "client_name": "redacted",
  "connection": "redacted",
  "connection_id": "redacted",
  "date": "2024-05-27T16:56:18.089Z",
  "details": {
    "actions": {
      "executions": [
        "redacted"
      ]
    },
    "completedAt": 1716828978083,
    "elapsedTime": 164722,
    "initiatedAt": 1716828813361,
    "prompts": [
      {
        "completedAt": 1716828977332,
        "connection": "redacted",
        "connection_id": "redacted",
        "elapsedTime": null,
        "identity": "redacted",
        "name": "redacted",
        "stats": {
          "loginsCount": 3
        },
        "strategy": "auth0"
      },
      {
        "completedAt": 1716828977350,
        "elapsedTime": 163980,
        "flow": "universal-login",
        "initiatedAt": 1716828813370,
        "name": "login",
        "requiredCaptcha": true,
        "timers": {
          "rules": 534
        },
        "user_id": "redacted",
        "user_name": "redacted"
      }
    ],
    "riskAssessment": {
      "assessments": {
        "ImpossibleTravel": {
          "code": "minimal_travel_from_last_login",
          "confidence": "high"
        },
        "NewDevice": {
          "code": "match",
          "confidence": "high",
          "details": {
            "device": "known",
            "useragent": "known"
          }
        },
        "PhoneNumber": {
          "code": "phone_number_not_provided",
          "confidence": "neutral"
        },
        "UntrustedIP": {
          "code": "not_found_on_deny_list",
          "confidence": "high"
        }
      },
      "confidence": "high",
      "version": "1"
    },
    "session_id": "redacted",
    "stats": {
      "loginsCount": 3
    }
  },
  "hostname": "redacted",
  "ip": "redacted",
  "strategy": "auth0",
  "strategy_type": "database",
  "type": "s",
  "user_agent": "Chrome 80.0.3987 / Windows 10.0.0",
  "user_id": "redacted",
  "user_name": "redacted",
  "log_id": "redacted",
  "tenant_name": "redacted",
  "_id": "redacted",
  "isMobile": true
}
  1. Another attribute is the requiresVerification available in the Pre-login risk assessment logs with the type pla.This attribute always exists in the pla Logs and shows whether the login transactions need a Captcha. The pla Logs are created every time a login page is rendered when the Risk Assessment option is turned on in the Bot detection feature.
    rtaImage (30)
    rtaImage (30)2822×1376 253 KB

    Sample tenant log
{
  "date": "2024-05-13T23:20:36.453Z",
  "type": "pla",
  "description": "Pre-login risk assessment",
  "connection_id": "",
  "client_id": "redacted",
  "client_name": "redacted",
  "ip": "redacted",
  "user_agent": "Chrome 80.0.3987 / Windows 10.0.0",
  "details": {
    "ipOnAllowlist": false,
    "requiresVerification": true,
    "session_id": "redacted"
  },
  "hostname": "redacted",
  "user_id": "",
  "user_name": "",
  "$event_schema": {
    "version": "1.0.0"
  },
  "log_id": "redacted",
  "tenant_name": "redacted",
  "_id": "redacted",
  "isMobile": false
}