メインコンテンツへスキップ

Before you start

You must configure Breached Password Protection and set up alerts for thresholds.
Adversaries can use password-based authentication as a target for attacks against your tenant. Below is for identifying and investigating potential attacks and taking the required remediation actions to protect users and minimize further risks.

Find log events of interest

When considering a response, first sift through the log messages of interest to identify potential attacks. For example, the attack may be coming from a limited set of IPs or from a single autonomous system number (ASN) or country. The following Auth0 tenant log event types are relevant when investigating a brute force attack.
  1. f: failed user login
  2. fu: failed user login due to invalid username
  3. fp: failed user login due to invalid password
  4. pwd_leak: attempted login with a leaked password
  5. signup_pwd_leak: attempted to sign up with a leaked password
  6. fcoa: failed cross-origin authentication (these events are generated by /co/authenticate, which should not be enabled unless strictly required)
  7. scoa: successful cross-origin authentication (these events are generated by /co/authenticate, which should not be enabled unless strictly required)

Identify breached password attacks

Attackers often employ brute force techniques (TT1110) when trying to breach password authentication, using collections of bots to guess passwords and sign up with reused credentials to test user accounts.

Password guessing

Most commonly employed by unsophisticated adversaries, password guessing (TT1110.001) attackers come in with little prior knowledge of your tenant’s policies and repeatedly attempt to guess passwords in an attempt to access accounts. Since attackers are merely guessing whether a user exists with an unknown password, you will see a flood of fp, fu and fcoa events in your Auth0 log events.

Password spraying

Adversaries employ password spraying (TT1110.003) as an opportunistic attack en masse when attempting to gain access to legitimate user accounts. Since attackers achieve their goals by trying commonly-used passwords, these attacks will frequently result in tripping Auth0’s brute force protections. Much like password guessing attacks, a high number of fp, fu and fcoa events in your logs are the best way to see whether attackers are attempting password spraying attacks.

Credential stuffing

If your tenant uses passwords without requiring an additional factor, credential stuffing (TT1110.004) is the most effective brute force attack technique. These attacks take advantage of password leaks and reuse by attempting to log in to a victim’s account using a dictionary of leaked passwords. Credential stuffing attacks frequently generate fp events (because the attackers are more likely to know a user exists) and pwd_leak events (because attackers are attempting to log in using breached credentials).

Mitigation strategies

A comprehensive strategy balances your business’s risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:
  • User friction**:** evaluate the impact of mitigation measures (e.g. CAPTCHA frequency, passkey requirements, or ) on user experience.
  • Technical capacity: assess your ability to implement IP blocking, WAF rules, and MFA enforcement.
Auth0 recommends a layered security approach that combines multiple mitigation techniques for optimal protection. Below are Auth0’s recommendations:
  • Turn on Bot Detection and block compromised credentials, up to and including requiring MFA for potentially compromised accounts.
  • Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution. For more information about , read the Bot Detection playbook.
  • Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0’s Auth Challenge or another supported provider.
  • Change your web application firewall rules using an edge provider or use tenant access control lists to block abusive IPs, autonomous system numbers, geographic locations, TLS clients, or HTTP header elements like user-agent strings.
  • Tighten Brute Force and Suspicious IP thresholds to reduce allowed connection limits and mitigate brute-force attacks.
  • Disable stateless endpoints susceptible to credential stuffing attacks by modifying your Cross-Origin Authentication settings.