To prevent brute force on our login/register forms we've implemented Google's invisible reCAPTCHA on our website. However we can't present a mobile user with this on the app we're developing. So I was wondering is there a simple and protected way to login a user into our app?
Now the first things that come to mind would be to implement a mobile login/register endpoint, but an attacker would easily get this endpoint and start brute forcing it.
The next thing that I came up would be to ask the API for a token and use that to login the user, however this would mean to to block an IP address after X failed attempts, and it starts to feel like we're going to be developing our own version of CAPTCHA.
And another one would be to create something similar to OAuth, but UX would suffer because the user would have to be presented a web page and from time to time he might see a CAPTCHA.
Do you have any ideas for a simple implementation which would prevent an attacker from brute forcing the app?
For now the second method seems the most reasonable. I've stumbled upon websites before which give like 10 attempts to login with an X email address and then block that user from logging in for a while.
As much as I remember this video used to have this form submitted once before and reCAPTCHA didn't show up. I can only guess that part got trimmed. Seems like reCAPTCHA decides when to "test" the users by simply comparing timestamps.
P.S. I can't think of a title which does not seem like click bait 😅
Top comments (2)
Captchas are hard on mobile and in many cases unaccessible. You should have rate limiting on the server side or use more friendly options such as 2FA or Phone Verification, really don't implement captcha if you want to give your users a better experience and save them from unnecessary hassle.
They are used on the webpages because there are many crawler and bots on the web to automate things, on mobile it's going to be a lot more harder and since you fully control the app experience you can easily block the user from sending anymore requests for a certain period of time.
TLDR: Don't do captchas please :)
Have you looked at SQRL?