0

I have implemented google repatcha enterprise with the the score based assessment on on a register page. At first on a test website.

Now I wonder what would be a non fraudulent score. If I use my email address I get a score of 0.89. Would it be ok if I assess all scores >= 0.7 as non-fraudulent? What would be a good starting point as a minimum score?

I could log the scores and then compare the values over time. So I may could see what is a good minimum score.

On the recaptcha enterprise website it states: "With low scores, require MFA or email verification to prevent credential stuffing attacks." Where could I set up MFA or email verification? Is there a documentation about it?

Thank you for any recommendations.

Gunnarius
  • 59
  • 5
  • 1
    The default recommended cutoff is 0.5. From there you can adjust based on how risk-tolerant your use-case is, for example maybe you are more strict during a credit card payment page (and therefore only allow 0.8+) but more lenient allowing comments on a thread (and allow 0.4+). – Cory Kramer Jan 17 '23 at 12:45
  • Thank you for your answer. My plan was also to set it to 0.5. As I understand the documentation the score has to be trained. – Gunnarius Jan 18 '23 at 12:54
  • 1
    The scoring fidelity will indeed improve after some real traffic to your site, the docs mention about 7 days worth of traffic. https://cloud.google.com/recaptcha-enterprise/docs/interpret-assessment After that point you can look at the typical scores being reported for your site and make a judgement if you should adjust from 0.5 based on your particular case. – Cory Kramer Jan 18 '23 at 12:59

1 Answers1

1

When you create an assessment, reCAPTCHA Enterprise provides a score that helps you understand the level of risk posed by user interactions. You can confirm or correct reCAPTCHA Enterprise's assessment later, when your website has more information about user interactions to determine whether they were legitimate or fraudulent. You can send the reCAPTCHA assessment IDs back to Google with the labels LEGITIMATE or FRAUDULENT to confirm or correct the assessment made by reCAPTCHA Enterprise.

Compared to previous versions of reCAPTCHA, reCAPTCHA Enterprise's scoring system now allows for more precise responses. There are 11 levels of scores in reCAPTCHA Enterprise, with values ranging from 0.0 to 1.0. A score of 1.0 indicates that the interaction is low risk and most likely genuine, while a score of 0.0 indicates that it may be fraudulent. Only the following four score levels, out of the 11 levels, are available by default: 0.1, 0.3, 0.7 and 0.9.

To know more about MFA Configuration, please refer to this documentation .

Manish Bavireddy
  • 127
  • 7
  • Thank you. I know the documentation. As it looks the score has to be trained over time. Then a cutoff can be defined. For that I have to set the cutoff lower and probably have to grant fraudulent access in the beginning, right? – Gunnarius Jan 18 '23 at 12:57
  • In the first few days you'll note that after you call [CreateAssessment](https://cloud.google.com/recaptcha-enterprise/docs/reference/rest/v1/projects.assessments/create) you'll see the response's [`assessment.risk_analysis.reasons`](https://cloud.google.com/recaptcha-enterprise/docs/reference/rest/v1/projects.assessments#riskanalysis) will likely include `LOW_CONFIDENCE_SCORE` which maps to "Too little traffic has been received from this site thus far to generate quality risk analysis." in those cases it's up to you if you wish to permit that traffic through yet. – Cory Kramer Jan 18 '23 at 14:20
  • So, in the first two weeks i would set it to 0.7. Or would you recommend setting it to 0.3? – Gunnarius Feb 21 '23 at 06:59