2

Good morning, We have to use two different approaches for customers' login:

  1. Credentials Management API: https://developers.google.com/web/fundamentals/security/credential-management/
  2. and ReCaptcha.

Do you have an idea on how to make them work together? Recaptcha is designed to block seamlessly auto-login of users via API call, and this is what Credentials Management do (more or less).

Bogo
  • 688
  • 1
  • 6
  • 15

1 Answers1

2

I'm the product manager at Google for user authentication.

Recaptcha isn't designed to "block seamlessly auto-login of users via API call", it's designed to detect bots, irrespective of where a bot might use an API call or script a form interaction to authenticate.

I'd suggest trying to auto sign in all users, and only apply trigger a captcha on operations where you actually see or believe there is abuse from bots (e.g. transactions) and try to use "invisible" whenever possible to avoid user friction.

Steven
  • 3,812
  • 23
  • 38
  • Thanks for your response Steven, it would seem we are misunderstanding the use of auto-login then. Our use of credential management API is that on our landing page, we fetch the plain credentials on the frontend side, open an invisible iframe with our login form, and insert the credentials into the login form, which we submit via JS. This is very similar to what a bot would do, which makes us think there has to be some other way, or a way for us to indicate uniquely our good intent – Bogo Aug 30 '18 at 14:14
  • Answer to the question aside, opening an ifame to post a credential is overkill. You can simply post it using xhr. – agektmr Sep 03 '18 at 14:47
  • 1
    A bot could equally easily fill and submit a form manually, so usage of the CM API should not be a determining factor in bot detection. Are you having an actual problem here, or is this just a theoretical concern? – Steven Sep 03 '18 at 15:47
  • Our concern is that whichever way we deliver the credentials (which we obtained on the front end), since we are doing it from code, we are acting like a bot. A malicious bot could be doing the same with a list of leaked accounts from another site. Therefore, any destination for our credentials will need protection from bots. If it is a login form, we can put reCaptcha on it, which then means we will also block our auto-login (since it acts like a bot). – Bogo Sep 04 '18 at 14:53
  • if it is an API of some sort, we can send the credentials there, but reCaptcha is out of the picture, and one can easily observe where the credentials are being sent (from a legitimate session), and then an attacker can do the same. That is where we must be missing a piece of the puzzle. – Bogo Sep 04 '18 at 14:53