June 16, 2016

How-to add login anomaly detection to Auth0

If you're building a new app or restructuring an existing one you may consider using Auth0 to manage user authentication.

In their words Auth0 is:

A universal identity platform for customers, employees and partners” which essentially means they focus on making it easy to manage user sign-up and log-in. They also have support for social sign in via Facebook, Google, and others as well as offering enterprise support for Single Sign-On (SSO).

All in all, Auth0 provide a fantastic solution that offers a secure best practice way to get up and running quickly. They also have a nice plugin architecture that enables smart integrations with other services like Mixpanel or FullContact to enrich profiles and track events.

So that's enough about why you should consider Auth0, for the rest of this post we will focus on extending Auth0 with the advanced login anomaly detection offered by ThisData.

Why do I need login anomaly detection?

In case you're not already familiar with login anomaly detection or how ThisData can help you I thought I better offer that up first.

Login anomaly detection is a process of checking the attributes of each login to an app for anything that seems out of the ordinary. This check runs independently of the normal authentication process and helps detect situations where a user has had their identity stolen or password compromised.

Compromised or phished accounts are the reason behind 95% of data breaches so it's good practice to place some additional checks around your login process. It will also give your customers confidence that you're doing all you can to help them protect the data they have in your app.

ThisData algorithms will take into account many behavioral factors including:

  • Location & Velocity
  • Devices
  • Time of day
  • Tor usage
  • Risky IP addresses
  • and more...

Auth0 Rules

Auth0 have made it easy to integrate additional services via custom rules which are essentially snippets of javascript code that run as part of the user authentication request.

I'm going to show you how to implement two Auth0 Rules that make use of ThisData. In reality you will only choose one of these rules to add to your account but in either case you will need a ThisData account to make it all work properly.

You can sign up for a free ThisData account here.

Setting up the API key

Once you have a ThisData account you will want to fetch your ThisData API Key which you will find on the Getting Started screen if its your first login or by going to the API Settings area.

Now you want to store the ThisData API key as an encrypted configuration setting in the Auth0 Rules section. We will use this configuration setting in the rule that we create rather than having the ThisData API pasted straight into the javascript code.

Rule 1: Alerting users to suspicious logins

This rule will track all of the logins to your app and check them for anomalies.

If an anomaly is detected it will send the user a “Was this you?” notification which details the unusual access, location, and device involved.

If the user responds to the notification indicating that it was not them, then action can be taken to quickly shut down access to their account and limit damage or data loss.

To create this rule click the “+ CREATE RULE” button in Auth0.

Then, select the “Empty Rule” template and paste in the following code to the box provided.

function (user, context, callback) {  
  // Get this from your ThisData account
  var apiKey = configuration.THISDATA_API_KEY;

  var options = {
    method: 'POST',
    headers: {
      'User-Agent': 'thisdata-auth0'
    },
    uri: 'https://api.thisdata.com/v1/events?api_key=' + apiKey,
    json: {
      verb: 'log-in',
      ip: context.request.ip,
      user_agent: context.request.userAgent,
      user: {
        id: user.user_id,
        name: user.name,
        email: user.email
      }
    }
  };

  request.post(options);

  callback(null, user, context);
}

It should look something like this:

Click “TRY THIS RULE” to test that it all works properly and you should see a log-in event show up in your ThisData Audit Log.

By default email notifications will not be sent by ThisData so the final step is to enable these notifications in the ThisData API settings.

Rule 2: Blocking suspicious logins

If security is super important to your app you might want to block highly suspicious activity immediately, without waiting to ask your user.

To achieve this you can create an Auth0 Rule that will instantly block logins that are highly suspicious. This rule works by making a call to the ThisData Verify API and using the Risk Score that is returned. The risk score is on a scale of 0 -> 1 and by default, if the score is above 0.85 the authentication will be blocked.

To create this rule follow the same process as in rule 1 above but paste in the following javascript snippet.

  // Get this from your ThisData account
  var apiKey = configuration.THISDATA_API_KEY;

  // 0.85 will generally block irregular Tor usage
  // or sudden changes in location and device
  var riskLimit = 0.85;

  var options = {
    method: 'POST',
    headers: {
      'User-Agent': 'thisdata-auth0'
    },
    uri: 'https://api.thisdata.com/v1/verify?api_key=' + apiKey,
    json: {
      ip: context.request.ip,
      user_agent: context.request.userAgent,
      user: {
        id: user.user_id,
        name: user.name,
        email: user.email
      }
    }
  };

  request.post(options, function(e, r, b){
    if(e || r.statusCode !== 200){
      // If anything fails dont block the login
      callback(null, user, context);
    } else {

      // If the risk is high then block the login
      if(b.score >= riskLimit){
        return callback(new UnauthorizedError('Login anomaly detected by ThisData. Risk: ' + b.score));
      }

      callback(null, user, context);
    }
  });
}

When the login is blocked you will get an unauthorized error to the callback url that you setup with Auth0. It will also contain an error message containing the risk score.

Login anomaly detected by ThisData. Risk: .93  

Conclusion

In this post we've discussed why Auth0 is a great option for managing users, sign-up and log-in etc. We've also discussed how you can extend Auth0 with advanced anomaly detection to help protect users from getting their passwords stolen via phishing or social engineering attacks.

These types of attacks are growing in frequency so it's a smart move to put some extra protection in place.

If you want to use both of these rules you will need to make sure the blocking rule (#2) is ordered after the alerting one.

If you have any questions about how to set this up, want to talk about how ThisData works or login security in general, please feel free to get in touch.

YOU MAY ALSO BE INTERESTED IN

It wasn’t me!

If you’re a big tech company like Google, Salesforce or Facebook then you’ve already felt the pain of users getting their accounts hacked. Y ...