Auth0’s anomaly detection and breached password protection work by identifying suspicious login attempts and preventing users from using passwords known to be compromised.
Here’s a peek at Auth0’s anomaly detection and breached password protection in action. Imagine a user, Alice, normally logs in from San Francisco. Today, her login attempt originates from a small internet cafe in Mumbai, using a device she’s never used before. Auth0’s anomaly detection flags this as suspicious. Simultaneously, if Alice’s password happens to be on a list of recently leaked credentials from a data breach elsewhere on the internet, the breached password protection kicks in.
{
"event": "login",
"user_id": "auth0|60a7b1c2d3e4f50011223344",
"client_id": "YOUR_CLIENT_ID",
"connection": "Username-Password-Authentication",
"ip_address": "103.21.145.12", // IP from Mumbai
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"location": {
"country_code": "IN",
"country_name": "India",
"city_name": "Mumbai",
"latitude": 19.0760,
"longitude": 72.8777
},
"success": false,
"breached_password_detection": {
"active": true,
"status": "breached" // Or "not_breached"
},
"anomaly_detection": {
"active": true,
"status": "suspicious" // Or "normal"
}
}
The core problem these features solve is credential stuffing and account takeover (ATO). Attackers obtain lists of usernames and passwords from data breaches and then systematically try them against various online services. Anomaly detection and breached password protection act as crucial layers to thwart these attacks.
Anomaly Detection works by establishing a baseline of "normal" user behavior for each individual account. This baseline includes factors like typical login locations, devices, times of day, and IP address ranges. When a login attempt deviates significantly from this established norm, it’s flagged as anomalous. Auth0 uses machine learning models to analyze these deviations. It’s not a simple IP-based check; it considers a multitude of signals to determine if a login is truly suspicious or just a user logging in from a new, legitimate location.
Breached Password Protection leverages vast databases of known compromised passwords. When a user attempts to set or change their password, Auth0 checks if the proposed password exists in these compromised lists. If it does, the user is prevented from using it, forcing them to choose a more secure, uncompromised password. This directly combats the reuse of passwords across different services, a common vulnerability.
You control these features within your Auth0 dashboard under the "Security" section, specifically under "Anomaly Detection" and "Breached Password Detection." You can enable or disable them, and for anomaly detection, you can set sensitivity levels (e.g., "Low," "Medium," "High") which determine how strict the detection is. Higher sensitivity means more logins will be flagged as suspicious, potentially leading to more false positives but also catching more subtle attacks.
The "breached" status in the breached_password_detection object isn’t just a binary yes/no. Auth0 uses a mechanism called Pwned Passwords (a service by Troy Hunt) which provides a count of how many times a specific password has been compromised. Auth0 doesn’t store the actual passwords, but rather hashes of them. When you check a password, Auth0 hashes it and sends that hash (or a portion of it) to the Pwned Passwords API to see if it’s in the compromised list. The response typically indicates if the password is known to be compromised and, if so, how many times it appeared in breaches. This allows Auth0 to warn users effectively without ever seeing or storing their plaintext passwords.
The next concept to explore is how to integrate these detections into your application’s user experience, such as prompting for multi-factor authentication (MFA) when an anomaly is detected or guiding users through a password reset flow when a breached password is attempted.