Invisible reCAPTCHA on mobile?
Dimitar Nestorov ☁️ Aug 12 '17
To prevent brute force on our login/register forms we've implemented Google's invisible reCAPTCHA on our website. However we can't present a mobile user with this on the app we're developing. So I was wondering is there a simple and protected way to login a user into our app?
Now the first things that come to mind would be to implement a mobile login/register endpoint, but an attacker would easily get this endpoint and start brute forcing it.
The next thing that I came up would be to ask the API for a token and use that to login the user, however this would mean to to block an IP address after X failed attempts, and it starts to feel like we're going to be developing our own version of CAPTCHA.
And another one would be to create something similar to OAuth, but UX would suffer because the user would have to be presented a web page and from time to time he might see a CAPTCHA.
Do you have any ideas for a simple implementation which would prevent an attacker from brute forcing the app?
For now the second method seems the most reasonable. I've stumbled upon websites before which give like 10 attempts to login with an X email address and then block that user from logging in for a while.
As much as I remember this video used to have this form submitted once before and reCAPTCHA didn't show up. I can only guess that part got trimmed. Seems like reCAPTCHA decides when to "test" the users by simply comparing timestamps.
P.S. I can't think of a title which does not seem like click bait 😅