Security management
/
Security rules
/
Bot detection (reCAPTCHA)
Last updated

Bot detection (reCAPTCHA)

The internet is full of bots, and they often attempt to sign up or log in to apps. Frontegg helps you protect your application with bot detection. By default, Frontegg uses proprietary algorithms, but we also support Google reCAPTCHA, allowing you to adjust your bot detection strictness.

Once you select your bot detection method, you can configure whether authentication attempts identified as bots are allowed, challenged, blocked, or locked.

Prerequisites

There are no prerequisites for Frontegg's bot detection. However, to use Google reCAPTCHA, you’ll need to set up an account and obtain a site key and secret.

Configuring bot detection

We offer two bot detection options: Frontegg Bot Detection and Google reCAPTCHA.

Frontegg bot detection

Frontegg Bot Detection requires no setup. Simply select the action to take when a bot is detected:

  • Allow: Allow bots to continue to your app.
  • Challenge: Require MFA verification.
  • Block: Deny bots access to your app.
  • Lock: Lock users who are detected as bots.

Google reCAPTCHA

Setting up reCAPTCHA

To set up reCAPTCHA v3:

  1. Obtain your Site Key and Secret Key:

    bot-detection-1

    • Fill in the label.
    • Select reCAPTCHA v3.
    • Add your domain.
    • Accept the reCAPTCHA Terms of Service.
    • Submit and copy the provided keys.

  2. In the Frontegg portal:

    • Paste your Site Key and Secret Key.

    bot-detection-2

    • Choose a Minimum Passing Score (0.0 to 1.0). Higher scores indicate higher likelihoods of being human, so setting a minimum closer to 1.0 enforces stricter security.

  3. To save your reCAPTCHA settings, click Save.

With reCAPTCHA enabled, bot detection will be active in your Frontegg app. Choose an action to take when a bot fails the threshold:

  • Allow: Detect and log bots but allow them access.
  • Challenge: Require MFA for bots.
  • Block: Deny bots access to the app.
  • Lock: Lock users who are detected as bots.

Let trusted emails bypass bot detection

To allow certain test users to bypass bot detection:

  1. Open the Frontegg portal.
  2. Navigate to: [ENVIRONMENT] → Configurations → Security → Security Rules**.
  3. Click the Manage button in the Bot detection section.
  4. In the window that opens, add test emails to the Ignored Emails list for both Frontegg Bot Detection and reCAPTCHA, then save your changes.

bot-detection-3

Notifying end users of bot detections

To notify end users each time their email triggers a bot detection (regardless of action):

  1. Enable notifications by selecting the Send email on bot detection checkbox.

bot-detection-4

Analyzing bots in your app

  • Go to Analytics ➜ Security Events in the Frontegg portal to view bot activity over time.
  • To read more about Security Events, click here.

Unlock account email

Prerequisites

To enable account unlock emails for users, ensure you’re using the following versions:
@frontegg/react@7.0.1
@frontegg/nextjs@9.0.1
@frontegg/angular@7.1.0
@frontegg/vue@4.0.1


  1. Enable the Send unlock account email option. This feature sends an email to users allowing them to restore account access.

bot-detection-5

Unlock account and unlock account success templates

Once you’ve enabled Send unlock account email:

  1. Open the Frontegg portal.
  2. Go to [ENVIRONMENT] → Configurations → Authentication → Emails.
  3. Enable the Unlock account email template.
  4. Optionally, enable the Unlock account success email template to notify users when their account is unlocked.


bot-detection-6