Overview
This article explains how to tell if Captcha was enforced during a login due to the Bot detection feature with the When Risky option enabled.
Solution
The following two logs can be used to understand if Captcha was displayed.
-
When Captcha is forced, in the successful login logs with type s for users in Auth0 database connections, Auth0 generates a field named
requiredCaptcha.
TherequiredCaptcha
This field shows up only when the Captcha is forced. If it wasn’t forced, the attribute would be missing.Sample tenant log:
{
"client_id": "redacted",
"client_name": "redacted",
"connection": "redacted",
"connection_id": "redacted",
"date": "2024-05-27T16:56:18.089Z",
"details": {
"actions": {
"executions": [
"redacted"
]
},
"completedAt": 1716828978083,
"elapsedTime": 164722,
"initiatedAt": 1716828813361,
"prompts": [
{
"completedAt": 1716828977332,
"connection": "redacted",
"connection_id": "redacted",
"elapsedTime": null,
"identity": "redacted",
"name": "redacted",
"stats": {
"loginsCount": 3
},
"strategy": "auth0"
},
{
"completedAt": 1716828977350,
"elapsedTime": 163980,
"flow": "universal-login",
"initiatedAt": 1716828813370,
"name": "login",
"requiredCaptcha": true,
"timers": {
"rules": 534
},
"user_id": "redacted",
"user_name": "redacted"
}
],
"riskAssessment": {
"assessments": {
"ImpossibleTravel": {
"code": "minimal_travel_from_last_login",
"confidence": "high"
},
"NewDevice": {
"code": "match",
"confidence": "high",
"details": {
"device": "known",
"useragent": "known"
}
},
"PhoneNumber": {
"code": "phone_number_not_provided",
"confidence": "neutral"
},
"UntrustedIP": {
"code": "not_found_on_deny_list",
"confidence": "high"
}
},
"confidence": "high",
"version": "1"
},
"session_id": "redacted",
"stats": {
"loginsCount": 3
}
},
"hostname": "redacted",
"ip": "redacted",
"strategy": "auth0",
"strategy_type": "database",
"type": "s",
"user_agent": "Chrome 80.0.3987 / Windows 10.0.0",
"user_id": "redacted",
"user_name": "redacted",
"log_id": "redacted",
"tenant_name": "redacted",
"_id": "redacted",
"isMobile": true
}
- Another attribute is the requiresVerification available in the Pre-login risk assessment logs with the type
pla
.This attribute always exists in thepla
Logs and shows whether the login transactions need a Captcha. Thepla
Logs are created every time a login page is rendered when the Risk Assessment option is turned on in the Bot detection feature.
Sample tenant log
{
"date": "2024-05-13T23:20:36.453Z",
"type": "pla",
"description": "Pre-login risk assessment",
"connection_id": "",
"client_id": "redacted",
"client_name": "redacted",
"ip": "redacted",
"user_agent": "Chrome 80.0.3987 / Windows 10.0.0",
"details": {
"ipOnAllowlist": false,
"requiresVerification": true,
"session_id": "redacted"
},
"hostname": "redacted",
"user_id": "",
"user_name": "",
"$event_schema": {
"version": "1.0.0"
},
"log_id": "redacted",
"tenant_name": "redacted",
"_id": "redacted",
"isMobile": false
}