Overview
Protected Auth is a ready-made solution in Stytch’s frontend & mobile SDKs that seamlessly integrates with Device Fingerprinting to detect and stop fraud, such as credential stuffing attacks. When Protected Auth is enabled, the SDK automatically generates a Telemetry ID before an API call and includes the Telemetry ID in the Stytch API request. The API will verify the fingerprint verdict before authenticating the request and handles the backend integration.Scenario: Credential stuffing
Protected Auth will stop the attack by detecting signs of browser automation or scripting. The attacker only sees failed authentication attempts with no idea if the request failed due to a failed fingerprint request or an incorrect password.Configuring Protected Auth
Protected Auth requires no code changes and is enabled from the Dashboard.- Follow our Get started guide to enabling Protected Auth.
Connection type modes
There are two modes for Protected Auth:- Observation mode: Generates and submits fingerprints to the API, but the API will not enforce any action.
- Enforcement mode: The API will react to each fingerprint lookup triggered by the SDK based on the verdict.
Handling challenge verdicts
BLOCK verdicts are a clear sign that traffic should be blocked. But in cases where it is unclear if the request is malicious, CHALLENGE verdicts are returned.
You can configure how Protected Auth handles challenge verdicts:
- See Challenge verdict to learn more about your options: Allow, Block, or Trigger CAPTCHA.
By default, the API will continue
CHALLENGE verdicts as if they received an ALLOW verdict.Protected methods
These methods will collect fingerprints and, when in Enforcement mode, prevent actions if a fingerprint receives aBLOCK verdict:
Consumer
stytch.biometrics.authenticatestytch.cryptoWallets.authenticatestytch.impersonation.authenticatestytch.magicLinks.email.loginOrCreatestytch.magicLinks.email.sendstytch.otps.authenticatestytch.otps.email.loginOrCreatestytch.otps.sms.loginOrCreatestytch.otps.sms.sendstytch.otps.whatsapp.loginOrCreatestytch.otps.whatsapp.send
stytch.passwords.authenticatestytch.passwords.createstytch.passwords.resetByEmailstytch.passwords.resetByEmailStartstytch.passwords.resetByExistingPasswordstytch.passwords.resetBySessionstytch.totps.authenticatestytch.totps.recoverstytch.webauthn.authenticate
Multi-tenant / B2B
stytch.impersonation.authenticatestytch.magicLinks.authenticatestytch.magicLinks.discovery.authenticatestytch.magicLinks.email.discovery.sendstytch.oauth.authenticatestytch.oauth.discovery.authenticatestytch.otps.email.authenticatestytch.otps.email.discovery.authenticatestytch.otps.email.discovery.sendstytch.otps.email.loginOrSignupstytch.otps.sms.authenticatestytch.otps.sms.sendstytch.passwords.authenticate
stytch.passwords.discovery.authenticatestytch.passwords.discovery.resetByEmailstytch.passwords.discovery.resetByEmailStartstytch.passwords.resetByEmailstytch.passwords.resetByEmailStartstytch.passwords.resetByExistingPasswordstytch.passwords.resetBySessionstytch.recoveryCodes.recoverstytch.recoveryCodes.rotatestytch.sso.authenticatestytch.totp.authenticatestytch.totp.create