Captcha Authentication

Christopher Dakin

Introduction

LogonBox supports the use of Google's reCAPTCHA for authentication as a simple way of stopping automatic attacks from bots trying to brute force a user's credentials.

This article explains how to configure your LogonBox to use this Authentication method.

Pre-requisite: You must have a Google account in order to create a set of reCAPTCHA API keys.

 

1. Configuring the Authentication Scheme

It is important to note that you can apply different authentication flows for six different types of logon: User Logon, Password Reset, Client, Account Unlock, SSO and Admin Logon.

Each of these can have their own default authentication flow configured, but for this article we shall alter Password Reset.

Navigate to Authentication->Schemes->Password Reset. Note that by default this is configured with a yellow Username module and a green Security Questions one.

First note the colour of the Captcha module, which is red. This means that this module can be combined with any of the other modules, but does not in itself establish the identity of a user. Hence you must use this module in combination with either a yellow or a blue module. Red modules themselves can be placed anywhere in the authentication flow, even before a yellow or blue one.

Let’s keep the existing Username and Security Questions modules and click the plus icon next to Captcha to add it into the authentication flow.

As this module can be placed anywhere, it makes most sense to place it at the start of the authentication flow so that this is the first module an automated attack will hit. Simply drag the module from its default position over to the left of Username and click Save at the bottom.

 

You now need to get security keys from google. Click on the edit icon inside the Captcha module where you will be prompted to enter the Site Key and Secret Key.

 

Click on the link which should open in a new tab and take you to the google page where you will register a new site. Type in a memorable name for the label and choose reCAPTCHA V2 for the type.

In Domains, type in the hostname of your LogonBox server.

Accept the terms and click Register

 

You will then be presented with the Site Key and Secret Key. Copy and paste these values into the fields of the same name in the LogonBox Captcha configuration.

Click Apply to complete the configuration.

 

2. Testing

As we have configured this scheme for Password Reset, to test this click on the Reset Password link on the main LogonBox portal.

 

You will be presented with the reCAPTCHA widget. Click I'm not a robot to continue.

 

If you fail the 'I'm not a robot' check, the module will fail back to a secondary level where you will have to complete a picture based task such as this one:

 

Once this module completes, you will be able to continue the authentication flow and reset your password.