Account Takeovers (ATOs)

This page explains how to detect and prevent account takeovers (ATOs).

Overview

Account takeover attacks are typically implemented by sending requests to login API endpoints with credentials from a data breach, also known as a password dump. This type of attack can be successful, even if the password dump is from an unrelated site, because humans tend to reuse passwords across multiple accounts. This type of attack does not work against users who practice proper password hygiene, such as using a password manager.

Option #1: "I'm not a robot" checkbox

It is extremely simple to add the "I'm not a robot" checkbox to your site, and there is a cost for an attacker to break this protection. This is the fastest and easiest way to provide some protection against ATOs without having to build out additional features such as SMS or email verification. This approach may be completely sufficient for some sites.

This is a live example of a simple login page protected by the checkbox. See this guide for more details.

function onSuccess(token) {
  // The token is included in the POST data in the g-recaptcha-response
  // parameter. The backend must create an Assessment with the token
  // and verify the token is valid.
  console.log(token);
}
<form id="loginForm" action="?" method="POST">
  Username: <input type="text" name="username"/><br/>
  Password: <input type="password" name="password"/><br/>
  <div class="g-recaptcha" data-sitekey="reCATCHA_sitekey"
       data-action="account_login" data-callback="onSuccess"></div>
</form>
<script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>

You can experiment with this code in JSFiddle by clicking the <> icon in the top-right corner of the code window.

<html>
  <head>
    <title>Account Login - Checkbox</title>
    <script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>
    <script>
    function onSuccess(token) {
      // The token is included in the POST data in the g-recaptcha-response
      // parameter. The backend must create an Assessment with the token
      // and verify the token is valid.
      console.log(token);
    }
    </script>
  </head>
  <body>
    <form id="loginForm" action="?" method="POST">
      Username: <input type="text" name="username"/><br/>
      Password: <input type="password" name="password"/><br/>
      <div class="g-recaptcha" data-sitekey="6LeAkOgUAAAAACcy3uY6N9H9SJMS27n3Zx2OOnYK"
           data-action="account_login" data-callback="onSuccess"></div>
    </form>
  </body>
</html>

Option #2: Scores and custom challenges

The best way to protect against ATOs is to rely on the reCAPTCHA score to trigger second-factor (2FA) challenges. Some familiar types of 2FA challenges include email and SMS challenges, in which one time codes (OTPs) are sent to the user.

Building a second-factor (2FA) challenge is out-of-scope for this guide, however, we have provided an example of how to integrate with SCORE keys in the login scenario. Notice that in this example, there is no visible challenge presented to the user. Only events with low scores will trigger 2FA challenges, so most real humans should observe no additional friction during login.

The logic of interpreting the score, and redirecting to a 2FA challenge, would be handled by your backend.

function submitForm() {
  grecaptcha.enterprise.ready(function() {
    grecaptcha.enterprise.execute(
      'reCAPTCHA_site_key', {action: 'account_login'}).then(function(token) {
       document.getElementById("token").value = token;
       document.getElementByID("loginForm").submit();
    });
  });
}
<form id="loginForm" action="?" method="POST">
  Username: <input type="text" name="username"/><br/>
  Password: <input type="password" name="password"/><br/>
  <input type="hidden" id="token" name="recaptcha_token"/>
  <button onclick="submitForm()">Login</button>
</form>
<script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>

You can experiment with this code in JSFiddle by clicking the <> icon in the top-right corner of the code window.

<html>
  <head>
    <title>Account Login - Score</title>
    <script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>
    <script>
    function submitForm() {
      grecaptcha.enterprise.ready(function() {
        grecaptcha.enterprise.execute(
          'reCAPTCHA_site_key', {action: 'account_login'}).then(function(token) {
           document.getElementById("token").value = token;
           document.getElementByID("loginForm").submit();
        });
      });
    }
    </script>
  </head>
  <body>
    <form id="loginForm" action="?" method="POST">
      Username: <input type="text" name="username"/><br/>
      Password: <input type="password" name="password"/><br/>
      <input type="hidden" id="token" name="recaptcha_token"/>
      <button onclick="submitForm()">Login</button>
    </form>
  </body>
</html>