Enabling reCAPTCHA

reCAPTCHA helps you to protect your user login page against spam, malicious registrations, and other forms of attack where bots or malicious software pretend as humans to access your computer. reCAPTCHA can help you secure Access Manager against attacks such as denial-of-service (DoS) and brute-force, which can impact the system performance to a large extent.

reCAPTCHA provides an additional layer of security by requesting users to confirm that they are not a robot. It displays images that users must select based on a matching criteria. If a response succeeds, Access Manager authenticates the user’s authentication credentials. If a response fails, Access Manager does not authenticate the user credentials, and redirects to the login page. Software bots typically cannot scan the images to provide a response.

Access Manager supports only the latest invisible reCAPTCHA. For more information, see Google developer guide for reCAPTCHA.

reCAPTCHA works on both Name/Password – Form and Secure Name/Password – Form authentication.

The following sections provide information about configuring reCAPTCHA:

Prerequisites for reCAPTCHA

  • Active Directory, eDirectory, or both identity sources are configured.

    reCAPTCHA supports Active Directory and eDirectory. It does not support other types of identity sources, such as Microsoft SQL Server or Oracle Database type identity sources that use the JDBC identity source connector.

  • Each identity source is configured with an intrusion detection policy. For more information, see Configuring Intrusion Detection for Failed Logins

  • A Google reCAPTCHA account is available. See Setting Up a reCAPTCHA Account.

Configuring Intrusion Detection for Failed Logins

Anyone who attempts to use more than a few unsuccessful passwords while trying to log on to the system might be a malicious user. reCAPTCHA cannot prevent attacks by malicious users who can read the image. It cannot differentiate between malicious users and legitimate users. reCAPTCHA cannot prevent coordinated human DoS attacks.

To prevent brute-force or human attacks that bypass the reCAPTCHA protection, enable the user’s identity source to respond to this type of potential attack by disabling the user account for a preset period of time after a specified number of failed login attempts.

The supported identity sources have the following built-in intrusion detection systems:

Active Directory Account Lockout Policy: Active Directory allows you to specify an account lockout policy for users and global security groups in a domain. Set the policy on the domain group policy object from the domain controller.

To configure the Account Lockout Policy settings:

  1. Log in as an Active Directory administrator user to the Windows Server that hosts Active Directory Domain Services (the domain controller).

  2. Configure the Account Lockout Policy on the group policy object for the domain controller.For more information, see the Account Lockout Policy in Microsoft TechNet Library.

  3. Verify that the Account Lockout Threshold value is higher than the number of failed login attempts you plan to specify for Start reCAPTCHA at in the reCAPTCHA tool.

  4. Repeat these steps for each configured Active Directory identity source.

eDirectory Intruder Lockout Policy: eDirectory allows you to enable intruder detection and specify an Intruder Lockout policy for the container object where your user objects reside.

To configure eDirectory Intruder Detection and Intruder Lockout Policy:

  1. Log in as the eDirectory administrator user to the eDirectory server management console.

  2. Configure Intruder Detection and the Intruder Lockout policy on the container object where your user objects reside.For more information, see Setting Up Intruder Detection for All Users in a Container in the eDirectory 9.0 Administration Guide.

  3. Verify that the Intruder Lockout value is higher than the number of failed login attempts you plan to specify for Start reCAPTCHA at in the reCAPTCHA tool.

  4. Repeat these steps for each configured eDirectory identity source.

NOTE:By default, the intruder detection is disabled when you create a new container object. Perform the following steps in Administration Console to enable the intruder detection:

  1. Click <username> > Manage Directory Objects > Tree > <container name> > (current level) > General > Intruder Detection.

  2. Select Detect intruders.

  3. Select Lock account after detection.

    If you do not select this option, no action is taken when intruder detection is activated.

  4. Click Apply > OK.

Continue with Setting Up a reCAPTCHA Account.

Setting Up a reCAPTCHA Account

Before configuring reCAPTCHA, you must set up a reCAPTCHA account.

To set up an account, perform the following steps:

  1. Log in to the Google reCAPTCHA website.

  2. Click Get reCAPTCHA > Sign up Now.

  3. Specify a label and the registered domains.

  4. Select Invisible reCAPTCHA as the type of reCAPTCHA.

  5. Click Register.

  6. Make a note of Site Key and Secret Key for future use.

  7. Continue with Configuring reCAPTCHA.

Configuring reCAPTCHA

To configure reCAPTCHA, perform the following steps:

  1. Click Devices > Identity Server > Servers > Edit > Local > Classes > Name/Password – Form OR Secure Name/Password – Form > Properties.

  2. Select Enable reCAPTCHA.

  3. Specify the value that you noted down when setting up your reCAPTCHA account for the following fields:

    • Site Key

    • Secret Key

    For more information, see Setting Up a reCAPTCHA Account.

  4. Click OK.

  5. Update Identity server.