이 페이지에서는 reCAPTCHA를 사용하여 계정 탈취(ATO)를 감지하고 방지하는 방법을 설명합니다.
ATO 공격은 일반적으로 정보 유출로부터 가져온 사용자 인증 정보를 사용하여 API 엔드포인트에 로그인하도록 요청을 전송합니다. 비밀번호 덤프라고도 합니다.
사용자는 여러 계정에서 암호를 재사용하는 경향이 있기 때문에 비밀번호 덤프가 관련이 없는 사이트에서 온 경우에도 이러한 유형의 공격이 성공할 수 있습니다.
이 유형의 공격은 비밀번호 관리자 사용과 같은 적절한 비밀번호 관리를 사용하는 사용자에게는 영향을 주지 않습니다.
사이트에 로봇이 아닙니다 체크박스를 추가하는 것이 SMS 또는 이메일 확인과 같은 추가 기능을 통합하지 않고도 ATO로부터 보호할 수 있는 가장 빠르고 쉬운 방법입니다.
공격자가 이 보호 조치를 해제하는 데 드는 비용이 발생하며 이 옵션은 일부 사이트에 충분할 수도 있습니다.
function onSuccess(token) {
// The token is included in the POST data in the g-recaptcha-response
// parameter. The backend must create an Assessment with the token
// and verify the token is valid.
console.log(token);
}
코드 창의 오른쪽 상단에 있는 <> 아이콘을 클릭하여 JSFiddle에서 이 코드를 실험할 수 있습니다.
<html>
<head>
<title>Account Login - Checkbox</title>
<script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>
<script>
function onSuccess(token) {
// The token is included in the POST data in the g-recaptcha-response
// parameter. The backend must create an Assessment with the token
// and verify the token is valid.
console.log(token);
}
</script>
</head>
<body>
<form id="loginForm" action="?" method="POST">
Username: <input type="text" name="username"/><br/>
Password: <input type="password" name="password"/><br/>
<div class="g-recaptcha" data-sitekey="6LeAkOgUAAAAACcy3uY6N9H9SJMS27n3Zx2OOnYK"
data-action="account_login" data-callback="onSuccess"></div>
</form>
</body>
</html>
점수 및 커스텀 챌린지 사용
ATO로부터 보호하기 위해서는 reCAPTCHA 점수 기반 키를 사용하고 이메일 및 SMS 인증과 같은 다중 인증(MFA)을 통해 사용자에게 일회용 코드(OTP)를 전송합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-10(UTC)"],[],[],null,["# Detect and prevent account takeovers\n\nThis page describes how to detect and prevent account takeovers (ATOs)\nusing reCAPTCHA.\n\nATO attacks typically occur when an attacker sends requests\nto log in to API endpoints using credentials obtained from a data breach, also\nknown as a\n[password dump](https://security.googleblog.com/2014/09/cleaning-up-after-password-dumps.html).\nThis type of attack can be successful, even if the password dump is from an\nunrelated site, because humans tend to reuse passwords across multiple accounts.\nThis type of attack does not affect users who practice proper password\nhygiene, such as using a password manager.\n\nBefore you begin\n----------------\n\n\n[Prepare your environment for reCAPTCHA](/recaptcha/docs/prepare-environment).\n\nDetect and prevent ATOs\n-----------------------\n\nWith reCAPTCHA, you can detect and prevent ATOs by using one of the\nfollowing options:\n\n- [reCAPTCHA account defender](/recaptcha/docs/account-defender)\n\n- [\"I'm not a robot\" checkbox](#checkbox)\n\n- [Scores and custom challenges](#score-custom)\n\n### Use the I'm not a robot checkbox\n\nAdding the **I'm not a robot** checkbox to your site is the fastest\nand easiest way to provide some protection against ATOs without having to\nintegrate additional features, such as SMS or email verification.\nThere is a cost for an attacker to break this protection and this option might\nbe sufficient for some sites.\n| **Note:** Checkbox challenges are not supported on mobile applications.\n\n[Add the \"I'm not a robot\" checkbox](/recaptcha/docs/instrument-web-pages-with-checkbox)\non your web pages.\n\nThe following code is a live example of a login page protected by the checkbox: \n\n```\nfunction onSuccess(token) {\n // The token is included in the POST data in the g-recaptcha-response\n // parameter. The backend must create an Assessment with the token\n // and verify the token is valid.\n console.log(token);\n}\n``` \n\n```\n\u003cform id=\"loginForm\" action=\"?\" method=\"POST\"\u003e\n Username: \u003cinput type=\"text\" name=\"username\"/\u003e\u003cbr/\u003e\n Password: \u003cinput type=\"password\" name=\"password\"/\u003e\u003cbr/\u003e\n \u003cdiv class=\"g-recaptcha\" data-sitekey=\"reCATCHA_sitekey\"\n data-action=\"account_login\" data-callback=\"onSuccess\"\u003e\u003c/div\u003e\n\u003c/form\u003e\n``` \n\n```\n\u003cscript src=\"https://www.google.com/recaptcha/enterprise.js\" async defer\u003e\u003c/script\u003e\n```\n\nYou can experiment with this code in JSFiddle by clicking the `\u003c\u003e` icon in the\ntop-right corner of the code window. \n\n```html\n\u003chtml\u003e\n \u003chead\u003e\n \u003ctitle\u003eAccount Login - Checkbox\u003c/title\u003e\n \u003cscript src=\"https://www.google.com/recaptcha/enterprise.js\" async defer\u003e\u003c/script\u003e\n \u003cscript\u003e\n function onSuccess(token) {\n // The token is included in the POST data in the g-recaptcha-response\n // parameter. The backend must create an Assessment with the token\n // and verify the token is valid.\n console.log(token);\n }\n \u003c/script\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003cform id=\"loginForm\" action=\"?\" method=\"POST\"\u003e\n Username: \u003cinput type=\"text\" name=\"username\"/\u003e\u003cbr/\u003e\n Password: \u003cinput type=\"password\" name=\"password\"/\u003e\u003cbr/\u003e\n \u003cdiv class=\"g-recaptcha\" data-sitekey=\"6LeAkOgUAAAAACcy3uY6N9H9SJMS27n3Zx2OOnYK\"\n data-action=\"account_login\" data-callback=\"onSuccess\"\u003e\u003c/div\u003e\n \u003c/form\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n```\n\n\u003cbr /\u003e\n\n### Use scores and custom challenges\n\nTo protect against ATOs, use the reCAPTCHA score-based\nkeys and use Multi-factor authentication (MFA) challenges, such as email\nand SMS challenges in which one-time codes (OTPs) are sent to the user.\n\nTo use score-based keys and custom challenges, consider the following options:\n\n- Install score-based keys to detect automation in large-scale ATOs.\n\n To install score-based keys on web pages, see\n [Install score-based keys on web pages](/recaptcha/docs/instrument-web-pages).\n\n To install score-based keys on mobile applications, see [Integrate reCAPTCHA with Android apps](/recaptcha/docs/instrument-android-apps).\n or [Integrate reCAPTCHA with iOS apps](/recaptcha/docs/instrument-ios-apps).\n- Use MFA to verify account ownership on login or for sensitive actions.\n\n For more information, see [Configure Multi-Factor authentication](/recaptcha/docs/integrate-account-verification).\n\nDepending on your use case, you can use MFA on its own or with\nscore-based keys. For example, you might prefer to use MFA challenges only for\nscores below a certain threshold to reduce friction.\n\nThe following example shows how to integrate score-based keys in the login\nscenario. \n\n```\nfunction submitForm() {\n grecaptcha.enterprise.ready(function() {\n grecaptcha.enterprise.execute(\n 'reCAPTCHA_site_key', {action: 'account_login'}).then(function(token) {\n document.getElementById(\"token\").value = token;\n document.getElementByID(\"loginForm\").submit();\n });\n });\n}\n``` \n\n```\n\u003cform id=\"loginForm\" action=\"?\" method=\"POST\"\u003e\n Username: \u003cinput type=\"text\" name=\"username\"/\u003e\u003cbr/\u003e\n Password: \u003cinput type=\"password\" name=\"password\"/\u003e\u003cbr/\u003e\n \u003cinput type=\"hidden\" id=\"token\" name=\"recaptcha_token\"/\u003e\n \u003cbutton onclick=\"submitForm()\"\u003eLogin\u003c/button\u003e\n\u003c/form\u003e\n``` \n\n```\n\u003cscript src=\"https://www.google.com/recaptcha/enterprise.js\" async defer\u003e\u003c/script\u003e\n```\n\nYou can experiment with this code in JSFiddle by clicking the `\u003c\u003e` icon in the\ntop-right corner of the code window. \n\n```html\n\u003chtml\u003e\n \u003chead\u003e\n \u003ctitle\u003eAccount Login - Score\u003c/title\u003e\n \u003cscript src=\"https://www.google.com/recaptcha/enterprise.js\" async defer\u003e\u003c/script\u003e\n \u003cscript\u003e\n function submitForm() {\n grecaptcha.enterprise.ready(function() {\n grecaptcha.enterprise.execute(\n 'reCAPTCHA_site_key', {action: 'account_login'}).then(function(token) {\n document.getElementById(\"token\").value = token;\n document.getElementByID(\"loginForm\").submit();\n });\n });\n }\n \u003c/script\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003cform id=\"loginForm\" action=\"?\" method=\"POST\"\u003e\n Username: \u003cinput type=\"text\" name=\"username\"/\u003e\u003cbr/\u003e\n Password: \u003cinput type=\"password\" name=\"password\"/\u003e\u003cbr/\u003e\n \u003cinput type=\"hidden\" id=\"token\" name=\"recaptcha_token\"/\u003e\n \u003cbutton onclick=\"submitForm()\"\u003eLogin\u003c/button\u003e\n \u003c/form\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n```\n\n\u003cbr /\u003e\n\nWhat's next\n-----------\n\n- To learn about other account protection features, see [User accounts protection features](/recaptcha/docs/protect-accounts-overview)."]]
