Best practices for protection from automated threats

This document describes the recommended implementations of reCAPTCHA Enterprise and fraud mitigation strategies to defend against the critical automated threats (OWASP Automated Threats (OAT) to Web Applications). Enterprise architects and technology stakeholders can review this information to make an informed decision about the reCAPTCHA Enterprise implementation and fraud mitigation strategy for their use case.

This document contains the following information for each type of threat:

• Optimal implementation of reCAPTCHA Enterprise. This implementation is designed with the relevant features of reCAPTCHA Enterprise for the best fraud protection.

• Minimal implementation of reCAPTCHA Enterprise. This implementation is designed for a bare minimum of fraud protection.

• Recommended fraud mitigation strategies.

Choose the implementation and fraud mitigation strategy that best fits your use case. The following factors might influence the implementation and fraud mitigation strategy that you choose:

• Organization's anti-fraud needs and capabilities.
• Organization's existing environment.

For information about the recommended general implementation of reCAPTCHA Enterprise, see Best practices for using reCAPTCHA Enterprise.

For more information about the fraud mitigation strategies for your use case, contact our sales team.

Carding

Carding is an automated threat where attackers make multiple payment authorization attempts to verify the validity of bulk-stolen payment card data.

Minimum implementation

1. Install checkbox site keys on all pages where end users need to enter their credit card information. To learn how to install checkbox site keys, see Install checkbox site keys (checkbox challenge) on websites.

2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where end users need to enter their credit card information. Specify an action in the action parameter such as card_entry. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Install reCAPTCHA Enterprise for the payment workflow on your website. To learn how to protect your payment workflow, see Protect payment workflows.

3. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

4. Save all assessment IDs and annotate the assessments that turn into fraudulent purchases or chargebacks as fraudulent. To learn how to annotate assessments, see Annotate an assessment.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use one of the following fraud mitigation strategies to protect your website from carding:

• Install reCAPTCHA Enterprise for the payment workflow on your website. To learn how to protect your payment workflow, see Protect payment workflows.

• Configure card management APIs to ensure that the reCAPTCHA tokens are valid and the scores are greater than their threshold value.

  If the scores do not meet or exceed the specified threshold value, do not run a card authorization or allow the end user to use the card. When possible, allow the transaction to proceed at time of purchase, but cancel the transaction later to avoid tipping off the attacker.

• When creating assessments, ensure that your assessments meet the following criteria for a successful transaction:

  • All assessed tokens are valid and have a score greater than a specified threshold value.
  • The value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. To learn how to verify actions, see verify actions.

  If a transaction does not meet these criteria, do not run a card authorization or allow the end user to use the card. When possible, allow the transaction to proceed at time of purchase, but cancel the transaction later to avoid tipping off the attacker.

Card cracking

Card cracking is an automated threat where attackers identify missing values for start date, expiry date, and security codes for stolen payment card data by trying different values.

Minimum implementation

1. Install checkbox site keys on all pages where end users need to enter their payment details, including both checkout and add payment method functions. To learn how to install checkbox site keys, see Install checkbox site keys (checkbox challenge) on websites.

2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where end users need to enter their payment details. Specify an action in the action parameter such as checkout or add_pmtmethod. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Install reCAPTCHA Enterprise for the payment workflow on your website. To learn how to protect your payment workflow, see Protect payment workflows.

3. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

4. Save all assessment IDs and annotate the assessments that turn into fraudulent purchases or chargebacks as fraudulent. To learn how to annotate assessments, see Annotate an assessment.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use one of the following fraud mitigation strategies to protect your website from card cracking:

• Install reCAPTCHA Enterprise for the payment workflow on your website. To learn how to protect your payment workflow, see Protect payment workflows.

• Implement a response model and create assessments:

  1. Create and implement a response model that is adjusted for score-based risk.

     The following example shows a sample response model:

     • For low to intermediate score threshold (0.0-0.5), use context-based risk management, such as limiting the number of attempts, and blocking purchases over a specified value.
     • For the highest score threshold (> 0.5), allow the end user to proceed without any challenge.

  2. When creating assessments, ensure that the value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. If they do not match, do not run a card authorization or allow the end user to use the card. When possible, allow the transaction to proceed at time of purchase, but cancel the transaction later to avoid tipping off the attacker.

Credential cracking

Credential cracking is an automated threat where attackers identify valid login credentials by trying different values for usernames and passwords.

Minimum implementation

1. Install checkbox site keys on all pages where end users need to enter their credentials, including both login and forgot my password functions. To learn how to install checkbox site keys, see Install checkbox site keys (checkbox challenge) on websites.

2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where end users need to enter their credentials. Specify an action in the action parameter such as login or authenticate. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.
2. Recommended: Implement reCAPTCHA Enterprise password leak detection for all authentication attempts. To learn how to use password leak detection, see Detect password leaks and breached credentials.
3. Optional: To enable blocking of high-volume and low-reCAPTCHA score interactions, integrate reCAPTCHA Enterprise with a web application firewall (WAF). For example, you can use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.
4. Implement reCAPTCHA Enterprise account defender to trend end-user behavior across logins and receive additional signals that can indicate an ATO. To learn how to use reCAPTCHA Enterprise account defender, see Detect and prevent account-related fraudulent activities.
5. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.
6. Save all Assessment IDs and annotate the assessment that appears fraudulent, such as Account Takeovers (ATOs) or any other fraudulent activity. To learn how to annotate assessments, see Annotate an assessment.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use the following fraud mitigation strategy to protect your website from credential cracking:

1. Create and implement a response model that is adjusted for score-based risk.

   The following example shows a sample response model:

   • For low to intermediate score threshold (0.0-0.5), challenge the end user with multi-factor authentication through email or SMS.
   • For the highest score threshold (> 0.5), allow the end user to proceed without any challenge.
2. End or interrupt sessions for end users who successfully authenticate but receive a credentialsLeaked: true response from reCAPTCHA Enterprise password leak detection, and send an email to the end users to change their password.
3. When creating assessments, ensure that the value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. If they do not match, do not permit authentication.

Credential stuffing

Credential stuffing is an automated threat where attackers use mass log-in attempts to verify the validity of stolen username/password pairs.

Minimum implementation

1. Install checkbox site keys on all pages where end users need to enter their credentials, including both login and forgot my password functions. To learn how to install checkbox site keys, see Install checkbox site keys (checkbox challenge) on websites.

2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where end users need to enter their credentials. Specify an action in the action parameter such as login or authenticate. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.
2. Recommended: Implement reCAPTCHA Enterprise password leak detection for all authentication attempts. To learn how to use password leak detection, see Detect password leaks and breached credentials.
3. Implement reCAPTCHA Enterprise account defender to trend end-user behavior across logins and receive additional signals that can indicate an ATO. To learn how to use reCAPTCHA Enterprise account defender, see Detect and prevent account-related fraudulent activities.

4. Optional: To enable blocking of high-volume and low-reCAPTCHA score interactions, integrate reCAPTCHA Enterprise with a web application firewall (WAF). For example, you can use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.

5. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

6. Save all assessment IDs and annotate the assessments that turn into fraudulent purchases or chargebacks as fraudulent. To learn how to annotate assessments, see Annotate an assessment.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use the following fraud mitigation strategy to protect your website from credential stuffing:

1. Create and implement a response model that is adjusted for score-based risk.

   The following example shows a sample response model:

   • For the lowest reCAPTCHA score threshold (0.0), inform the end user that their password is incorrect.
   • For the intermediate score threshold (0.1-0.5), challenge the end user with multi-factor authentication through email or SMS.
   • For the highest score threshold (> 0.5), allow the end user to proceed without any challenge.
2. End or interrupt sessions for end users who successfully authenticate but receive a credentialsLeaked: true response from reCAPTCHA Enterprise password leak detection, and send an email to the end users to change their password.
3. When creating assessments, ensure that the value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. If they do not match, do not permit authentication.
4. In your assessment, if accountDefenderAssessment=PROFILE_MATCH, allow the end user to proceed without any challenge.

Cashing out

Cashing out is an automated threat where attackers obtain currency or high value items through the utilization of stolen, previously validated payment cards.

Minimum implementation

1. Install score-based site keys on all pages where checkout is possible. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.
2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where end users enter their gift card information. Specify an action such as add_gift_card. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

3. Save all assessment IDs and annotate the transactions that were fraudulent.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use the following fraud mitigation strategy to protect your website from cashing out:

• Install reCAPTCHA Enterprise for the payment workflow on your website. To learn how to protect your payment workflow, see Protect payment workflows.

• Implement a response model and create assessments:

  1. Create and implement a response model that is adjusted for score-based risk.

     The following example shows a sample response model:

     • For low to intermediate score threshold (0.0-0.5), use context-based risk management, such as limiting the number of attempts, and blocking purchases over a specified value.
     • For the highest score threshold (> 0.5), allow the end user to proceed without any challenge.
  2. When creating assessments, ensure that the value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. If they do not match, do not permit authentication. When possible, allow the transaction to proceed at time of purchase, but cancel the transaction later to avoid tipping off the attacker.

Account creation

Account creation is an automated threat where attackers create multiple accounts for subsequent misuse.

Minimum implementation

1. Install checkbox site keys on all pages where end users need to enter their credentials, including both login and forgot my password functions. To learn how to install checkbox site keys, see Install checkbox site keys (checkbox challenge) on websites.

2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where accounts are created. Specify an action in the action parameter such as register. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.
2. Recommended: Implement reCAPTCHA Enterprise password leak detection for all authentication attempts. To learn how to use password leak detection, see Detect password leaks and breached credentials.
3. Implement reCAPTCHA Enterprise account defender to receive additional signals that indicate fake account creations. To learn how to use reCAPTCHA Enterprise account defender, see Detect and prevent account-related fraudulent activities.

4. Optional: To enable blocking of high-volume and low-reCAPTCHA score interactions, integrate reCAPTCHA Enterprise with a web application firewall (WAF). For example, you can use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.

5. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

6. Save all assessment IDs and annotate the transactions that were fraudulent.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use the following fraud mitigation strategy to protect your website from account creation:

1. Create and implement a response model that is adjusted for score-based risk.

   The following example shows a sample response model:

   • For the lowest reCAPTCHA score threshold (0.0), limit the actions of the account until it undergoes further fraud checks.
   • For the intermediate score threshold (0.1-0.5), challenge the end user with multi-factor authentication through email or SMS.
   • For the highest score threshold (> 0.5), allow the end user to proceed without any challenge.
2. End or interrupt sessions for end users who successfully authenticate but receive a credentialsLeaked: true response from reCAPTCHA Enterprise password leak detection, and prompt the user to select a new password.
3. When creating assessments, ensure that the value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. If they do not match, do not permit account registration or account creation.
4. In your assessment, if accountDefenderAssessment=SUSPICIOUS_ACCOUNT_CREATION, restrict the account's access until further validation can be performed.

Fraudulent account and address changes

Attackers might attempt to change account details, including email addresses, phone numbers, or mailing addresses as part of fraudulent activity or account takeovers.

Minimum implementation

1. Install checkbox site keys on all pages where end users need to enter their credentials, including both login and forgot my password functions. To learn how to install checkbox site keys, see Install checkbox site keys (checkbox challenge) on websites.

2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where accounts are created. Specify an action in the action parameter such as change_telephone or change_physicalmail. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

3. Implement reCAPTCHA Enterprise account defender to trend end-user behavior across logins and receive additional signals that can indicate an ATO. To learn how to use reCAPTCHA Enterprise account defender, see Detect and prevent account-related fraudulent activities.

4. Save all assessment IDs and annotate the transactions that were fraudulent.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use the following fraud mitigation strategy to protect your website from fraudulent account and address changes:

1. Create and implement a response model that is adjusted for score-based risk.

   The following example shows a sample response model:

   • For low to intermediate score threshold (0.0-0.5), challenge the end user with multi-factor authentication through email or SMS.
   • For the highest score threshold (> 0.5), allow the end user to proceed without any challenge.

2. When creating assessments, ensure that the value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. If they do not match, do not permit account changes.

3. In your assessment, if accountDefenderAssessment does not have the PROFILE_MATCH label, challenge the end user with multi-factor authentication through email or SMS.

Token cracking

Token cracking is an automated threat where attackers do mass enumeration of coupon numbers, voucher codes, discount tokens.

Minimum implementation

1. Install checkbox site keys on all pages where end users need to enter their gift card information. To learn how to install checkbox site keys, see Install checkbox site keys (checkbox challenge) on websites.

2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where end users need to enter their gift card information. Specify an action such as gift_card_entry. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Optional: To enable blocking of high-volume and low-reCAPTCHA score interactions, integrate reCAPTCHA Enterprise with a web application firewall (WAF). For example, you can use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.

3. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

4. Save all assessment IDs and annotate the assessments that turn into fraudulent gift cards or coupons.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use one of the following fraud mitigation strategies to protect your website from token cracking:

• Configure card management APIs to ensure that the reCAPTCHA tokens are valid and the scores are greater than their threshold value.

  If the scores do not meet or exceed the specified threshold, do not run a gift card or credit card authorization, or allow the end user to use the coupon, gift card. When possible, allow the transaction to proceed at time of purchase, but cancel the transaction later to avoid tipping off the attacker.

• When creating assessments, ensure that your assessments meet the following criteria for a successful transaction:

  • All assessed tokens are valid and have a score greater than a specified threshold value.
  • The value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. To learn how to verify actions, see verify actions.

  If a transaction does not meet these criteria, do not run a gift card or credit card authorization, or allow the end user to use the coupon or gift card. When possible, allow the transaction to proceed at time of purchase, but cancel the transaction later to avoid tipping off the attacker.

Scalping

Scalping is an automated threat where attackers obtain limited-availability and preferred goods or services by unfair methods.

Minimum implementation

1. Install score-based site keys on all pages where end users need to enter their gift card information. Specify an action in the action parameter such as add_to_cart. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.
2. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where end users need to enter their gift card information. Specify an action in the action parameter such as add_to_cart. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Optional: To enable blocking of high-volume and low-reCAPTCHA score interactions, integrate reCAPTCHA Enterprise with a web application firewall (WAF). For example, you can use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.

3. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

4. Save all assessment IDs and annotate the transactions that were fraudulent.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use the following fraud mitigation strategy to protect your website from scalping:

1. Create and implement a response model that is adjusted for score-based risk.

   The following example shows a sample response model:

   • For low to intermediate score threshold (0.0-0.5), use context-based risk management, such as limiting the number of attempts, and blocking purchases over a specified value.
   • For the highest score threshold (> 0.5), allow the end user to proceed without any challenge.

2. When creating assessments, ensure that the value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. If they do not match, do not run the gift card authorization.

Skewing

Skewing is an automated threat where attackers use repeated link clicks, page requests, or form submissions to alter some metric.

Minimum implementation

1. Install score-based site keys on all pages where metric skewing is possible. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.
2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where metric skewing is possible. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Optional: To enable blocking of high-volume and low-reCAPTCHA score interactions, integrate reCAPTCHA Enterprise with a web application firewall (WAF). For example, you can use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.

3. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

4. Save all assessment IDs and annotate the transactions that were fraudulent.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use the following fraud mitigation strategy to protect your website from skewing:

Create and implement a response model that is adjusted for score-based risk.

The following example shows a sample response model:

• For low to intermediate score threshold (0.0-0.5), use context-based risk management, such as tracking the number of times a user has clicked an ad, or number of times a user has reloaded the page. Use this data to determine whether to count the metric.
• For the highest score threshold (> 0.5), allow the end user to proceed without any challenge.

Scraping

Scraping is an automated threat where attackers collect website data or artifacts in an automated way.

Minimum implementation

1. Install score-based site keys on all pages where important information resides and on key common end-user interaction pages. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.
2. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages where important information resides and on key common end-user interaction pages. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Optional: To enable blocking of high-volume and low-reCAPTCHA score interactions, integrate reCAPTCHA Enterprise with a web application firewall (WAF). For example, you can use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.

3. Create assessments for all tokens. To learn how to create assessments, see Create an assessment.

4. Save all assessment IDs and annotate the transactions that were fraudulent.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use the following fraud mitigation strategies to protect your website from scraping:

• Enable blocking of high-volume and low-reCAPTCHA score interactions by integrating reCAPTCHA Enterprise with a web application firewall (WAF). For example, you can use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration
• If scraping involves APIs, use the Apigee Management APIs for additional mitigation.

CAPTCHA defeat

CAPTCHA defeat is an automated threat where attackers use automation in an attempt to analyze and determine the answer to visual and/or aural CAPTCHA tests and related puzzles.

Minimum implementation

1. Install score-based site keys on all pages that involve end-user input, account creation, payment information, or end-user interactions with the potential for fraud. Specify a descriptive action in the action parameter. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

Optimal implementation

1. Install score-based site keys on all pages that involve end-user input, account creation, payment information, or end-user interactions with the potential for fraud. Specify a descriptive action in the action parameter. To learn how to install score-based site keys, see Install score-based site keys (no challenge) on websites.

2. Optional: To enable blocking of high-volume and low-reCAPTCHA score interactions, integrate reCAPTCHA Enterprise with a web application firewall (WAF). For example, you can use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.

3. Create assessments for all tokens, and set expectedAction to match the value of action that you specified when installing the score-based site keys. To learn how to create assessments, see Create an assessment.

4. Save all assessment IDs and annotate the assessments that turn into fraudulent purchases or chargebacks as fraudulent. To learn how to annotate assessments, see Annotate an assessment.

Fraud mitigation strategy

After you implement reCAPTCHA Enterprise, use one of the following fraud mitigation strategies to protect your website from CAPTCHA defeat:

• Implement a response model and create assessments:

  1. Create and implement a response model that is adjusted for score-based risk.

     The following example shows a sample response model:

     • For low to intermediate score threshold (0.0-0.5), challenge the end user with multi-factor authentication through email or SMS.
     • For the highest score threshold (> 0.5), allow the end user to proceed without any challenge.
  2. When creating assessments, ensure that the value of expectedAction matches the value of action that you specified when installing the score-based site keys on your web pages. If they do not match, do not permit authentication.

• If end users use web browsers that have JavaScript disabled, do the following:

  1. Block those end users.
  2. Notify the end users that your website requires JavaScript to proceed.

• Ensure that the grecaptcha.enterprise.ready promise is fulfilled to prevent end users' browsers that block Google's script from loading. This indicates that reCAPTCHA Enterprise is fully loaded and did not encounter an error.

• For web-only APIs, we recommend passing the reCAPTCHA token or reCAPTCHA assessment result to the backend API, and then only allowing the API action if the reCAPTCHA token is valid and meets a score threshold value. This ensures that the end user is not using the API without going through the website.

What's next

• Install score-based site keys.
• Install checkbox site keys.
• Create assessments.
• Annotate assessments.
• Implement password leak detection.
• Implement account defender.