Validate Captcha Enforcement due to Bot Detection with Risky Option Enabled

Overview

This article explains how to tell if Captcha was enforced during a login due to the Bot detection feature with the When Risky option enabled.

Solution

The following two logs can be used to understand if Captcha was displayed.

  1. When Captcha is forced, in the successful login logs with type s for users in Auth0 database connections, Auth0 generates a field named requiredCaptcha. The requiredCaptcha This field shows up only when the Captcha is forced. If it wasn’t forced, the attribute would be missing.

    Sample tenant log:

{
  "client_id": "redacted",
  "client_name": "redacted",
  "connection": "redacted",
  "connection_id": "redacted",
  "date": "2024-05-27T16:56:18.089Z",
  "details": {
    "actions": {
      "executions": [
        "redacted"
      ]
    },
    "completedAt": 1716828978083,
    "elapsedTime": 164722,
    "initiatedAt": 1716828813361,
    "prompts": [
      {
        "completedAt": 1716828977332,
        "connection": "redacted",
        "connection_id": "redacted",
        "elapsedTime": null,
        "identity": "redacted",
        "name": "redacted",
        "stats": {
          "loginsCount": 3
        },
        "strategy": "auth0"
      },
      {
        "completedAt": 1716828977350,
        "elapsedTime": 163980,
        "flow": "universal-login",
        "initiatedAt": 1716828813370,
        "name": "login",
        "requiredCaptcha": true,
        "timers": {
          "rules": 534
        },
        "user_id": "redacted",
        "user_name": "redacted"
      }
    ],
    "riskAssessment": {
      "assessments": {
        "ImpossibleTravel": {
          "code": "minimal_travel_from_last_login",
          "confidence": "high"
        },
        "NewDevice": {
          "code": "match",
          "confidence": "high",
          "details": {
            "device": "known",
            "useragent": "known"
          }
        },
        "PhoneNumber": {
          "code": "phone_number_not_provided",
          "confidence": "neutral"
        },
        "UntrustedIP": {
          "code": "not_found_on_deny_list",
          "confidence": "high"
        }
      },
      "confidence": "high",
      "version": "1"
    },
    "session_id": "redacted",
    "stats": {
      "loginsCount": 3
    }
  },
  "hostname": "redacted",
  "ip": "redacted",
  "strategy": "auth0",
  "strategy_type": "database",
  "type": "s",
  "user_agent": "Chrome 80.0.3987 / Windows 10.0.0",
  "user_id": "redacted",
  "user_name": "redacted",
  "log_id": "redacted",
  "tenant_name": "redacted",
  "_id": "redacted",
  "isMobile": true
}
  1. Another attribute is the requiresVerification available in the Pre-login risk assessment logs with the type pla.This attribute always exists in the pla Logs and shows whether the login transactions need a Captcha. The pla Logs are created every time a login page is rendered when the Risk Assessment option is turned on in the Bot detection feature.

    Sample tenant log
{
  "date": "2024-05-13T23:20:36.453Z",
  "type": "pla",
  "description": "Pre-login risk assessment",
  "connection_id": "",
  "client_id": "redacted",
  "client_name": "redacted",
  "ip": "redacted",
  "user_agent": "Chrome 80.0.3987 / Windows 10.0.0",
  "details": {
    "ipOnAllowlist": false,
    "requiresVerification": true,
    "session_id": "redacted"
  },
  "hostname": "redacted",
  "user_id": "",
  "user_name": "",
  "$event_schema": {
    "version": "1.0.0"
  },
  "log_id": "redacted",
  "tenant_name": "redacted",
  "_id": "redacted",
  "isMobile": false
}