This topic describes how to present users with a CAPTCHA challenge after a specified number of failed log in attempts.

A CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) challenge distinguishes between humans and computers with a Turing test. You can use CAPTCHA challenges to prevent unauthorized access or denial-of-service (DoS) attacks against your tenant. The CAPTCHA feature uses Google's reCAPTCHA service.

Setting a CAPTCHA threshold might impact your custom apps that use the /Security/StartAuthentication API. Our APIs don't currently offer a way to display a CAPTCHA associated with your Google account, so users of your custom apps who exceed the CAPTCHA threshold would be locked out.

Enable CAPTCHA challenges following failed sign in attempts

The following procedure describes how to enable a CAPTCHA challenge after a specified number of consecutive failed log in attempts.

  1. In the Identity Administration portal, go to Settings > Authentication > Security Settings.

  2. Under Authentication Options, use the drop-down menu next to Number of consecutive failed login attempts allowed before showing a CAPTCHA (default Off) to specify the number of allowed failed attempts before a user sees the CAPTCHA challenge.

    Any failed challenge counts as a failed attempt. For example, an incorrect password or an incorrect answer to a security question.

    Select a number that is less than the number of allowed password attempts before a user is locked out, otherwise a DoS attack might lock out some of your users. Refer to Lock user accounts after failed login attempts for more information.
  3. Click Save.

Create a custom Google reCAPTCHA v2 site

You can create your own Google reCAPTCHA v2 site if you prefer to use a different reCAPTCHA type or domain.

  1. Sign in to your Google account and go to https://www.google.com/recaptcha/admin/create.

    For customers in China, use www.recaptcha.net instead of www.google.com. Contact your account representative to enable this feature.

  2. In the Label field, enter a name for your site.

  3. Select the reCAPTCHA type as reCAPTCHA V2, and then select "I’m not a robot" Checkbox.

  4. Add the list of domains where the reCAPTCHA service is invoked.

    The list of domains does not apply to the reCAPTCHA v2 (Android) site type.

  5. Add the list of email addresses that are associated with a Google account and have ownership rights over the site key.

  6. Select Accept the reCAPTCHA Terms of Service checkbox to accept Terms of Use.

  7. Select Send alerts to owners to receive alerts when Google detects any issues with your site.

  8. Click Submit.

    The Site Key and Secret Key are generated. You can copy these values to enter them in the System Configuration section of your Identity Administration portal to use your new reCAPTCHA v2 site.

Configure Google reCAPTCHA V2 for Signup flow

The following procedure describes how to include CAPTCHA challenges in the Authentication widget's signup flow.

Step 1: Enable CAPTCHA for the sign up flow in the Identity Administration portal

  1. In the Identity Administration portal, go to Settings > Authentication > Security Settings, select Enable CAPTCHA for Signup flow, then click Save.

    The CAPTCHA is enabled for both the Signup API and Signup form in the Authentication widget.

Step 2: (Optional) Use your custom reCAPTCHA site

  1. Go to Settings > Customization > System Configuration, then select Use Custom reCAPTCHA V2 API Settings to use custom reCAPTCHA settings for your tenant.

    Refer to Create a custom Google reCAPTCHA v2 site for more information about creating a custom site.

  2. Enter the Site Key and Secret key, then click Save.

    For embedded widgets, use the custom reCaPTCHA settings to configure authentication security.

    This reCAPTCHA mechanism is applicable only for Web apps. The signup API in Android and iOS native apps do not support this mechanism. You can either use the signup form in the Authentication widget or the bearer token mechanism.

    Also, in the current configuration approach, you can only configure it for web or for android platform at a time.