Auth0 Bot Detection works with the company's Breached Password Detection, Brute Force Protection, and Multi-factor Authentication services to mitigate against automated attacks, account takeovers, phishing attacks, and other threats.
Credential stuffing typically involves using account credentials stolen during previous breaches to conduct large-scale automated attacks on other sites.
According to Auth0, such an attack can come from as many as 65,000 different IP addresses at once, causing traffic to surge by as much as 180 times.
While at attack is in progress, credential stuffing can account for as much as 65% of the traffic to Auth0's authentication service.
The new Bot Detection services correlates numerous data sources to identify and mitigate bot-driven attacks before login.
For example, numerous failed login attempts across multiple accounts from a particular IP address would be considered suspicious, so a captcha would be added to the login process, and that would mitigate most bot attacks.
Auth0 will initially offer Bot Detection in conjunction with its Universal Login service, and will make available in other contexts in the coming months.
"We've seen an increase in the volume and sophistication of bot attacks over the last few years, and companies are investing more in their defences," said Auth0 CTO and cofounder Matias Woloski.
"Being at the front door of applications with a service that secures more than 4.5 billion login transactions per month, we have a unique vantage point for quickly identifying and blocking suspicious activity before any damage is done. This is what makes Bot Detection very effective at preventing account takeover and reducing the load on DevOps and SecOps teams."
Auth0 APAC regional director Richard Marr added "The threat of bot-driven attacks is significant across all sectors in ANZ. We are detecting large volumes of malicious traffic – as much as 65% of the traffic to Auth0 accounts for credential stuffing attempts – and at the same time, we know that 70% of people continue to use the same password for their online logins.
"The ease and lowered barriers to credential stuffing attacks by bad actors means increased activity. Bot Detection extends our capabilities and helps our customers strengthen their defences.
"Locally, customers with B2C applications are responding to Bot Detection to address the risk of bot attacks, and we're able to add greater value to customers who are modernising their architecture, with identity at the centre of their security approach."