CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is one of the most popular methods of distinguishing between a human user vs. an automated attacker. Gigya enables adding a CAPTCHA challenge to login and registration screen, to protect your site from automated hacking attempts. This guide walks you through the steps of setting up a CAPTCHA app. Gigya supports Google CAPTCHA solutions and FunCaptcha.
Setting Up the App
When using the Google solution, we support Invisible reCAPTCHA for Registration and reCAPTCHA v2 for Login, which is displayed unobtrusively at the bottom of the browser page when a registration screen is loaded, and is triggered only if the profile of the registration attempt is deemed suspicious by Google's risk analysis algorithms.
reCAPTCHA is not currently available for use with mobile SDKs.
You need to configure separate credentials for each of the reCAPTCHA types, reCAPTCHA v2 or Invisible reCAPTCHA. Per Google, you should not use the same credentials for both configurations.
- Sign in to your Google account and go to https://www.google.com/recaptcha/admin#list.
- Give your reCAPTCHA configuration a label and select the version of reCAPTCHA you need. For registration flow CAPTCHA you will need Invisible reCAPTCHA and for login flow CAPTCHA you will need reCAPTCHA v2. Selecting one of the options should open a "Domains" box:
- Enter your domain or domains that you will deploy your Screen-Sets to.
- In the list of domains, also enter a line with console.gigya.com, so that when previewing your registration screen in the UI Builder, Invisible reCAPTCHA will function correctly.
- Accept the terms of service and click Register.
- Leave the browser tab open, or copy both the reCAPTCHA site key and the reCAPTCHA secret key to be used in the next step.
To activate FunCaptcha, you should first send an enquiry to FunCaptch at email@example.com. After completing an onboarding process, FunCaptcha will provide you with a public key and a private one.
- Open the Site Settings menu in Gigya's Console.
- Select the provider: Google or FunCaptcha.
- Enter all the relevant CAPTCHA credentials. Note that Google reCAPTCHA includes two separate sets of credentials (invisible reCAPTCHA for registration, and v.2 for login)
- Save your settings on the bottom right-hand corner.
Using CAPTCHA in the Registration Flow
- Open the Policies page in Gigya's Console.
- Under Additional Security Measures, check the Require CAPTCHA during registration option.
You now have to include a CAPTCHA widget in every registration screen of your site (see the UI Builder section, below, for additional information). A CAPTCHA will be triggered only if the registration attempt is deemed suspicious by the CAPTCHA provider's risk analysis algorithms. If this is the case, users will need to "prove they are human".
If the registration seems legitimate, the CAPTCHA challenge will not be triggered.
If you have not yet configured the CAPTCHA site key and secret, a warning will appear: "Warning: Missing CAPTCHA credentials". To fix this, enter your credentials as described in the Site Settings section of this page.
Using CAPTCHA in the Login Flow
Enabling CAPTCHA for a login flow is achieved via Gigya's RBA (Risk Based Authentication).
To create a rule to trigger RBA during login flows:
- Navigate to the RBA tab of the Gigya Console.
Under Global Rules, click Add Rule. This will open up the Add Global Rule dialog.
You can use one of the available Default rules or create a custom rule.
- Select the rule you want to enforce.
- After selecting a rule, click Next.
- In the configuration editor, choose whether to accept the default values, or customize the settings. For more information on customizing RBA rules, see Risk Based Authentication. It is recommended to edit the default name of the rule to make it easier to recognize if you have multiple different rules configured.
- Click Apply.
- Finally, ensure that you press Save Setting in the bottom right-hand corner of the Gigya Console to save your RBA configuration.
When using reCAPTCHA during the Registration flow, you need to add the reCAPTCHA widget to every registration screen of your site. Assuming you are using the UI Builder for customizing your screens, that can be accomplished with the following steps:
- In Gigya's Console, open the Screen-Sets page.
- Click the name of the relevant RegistrationLogin screen-set collection to open it in the UI Builder.
- Under Screens, select the Registration screen.
- Find the CAPTCHA widget in the Widgets menu on the left-hand side, and drag it into the canvas.
- With the CAPTCHA widget still selected, on the right hand side of the UI Builder, you can configure the widget settings. For Google's reCAPTCHA, these are the available settings:
- Badge: Select the position of the reCAPTCHA badge in the screen.
- Type: The type of challenge that will be presented to the user, whether image or audio. In any case, the user can choose to switch to the other type.
You can preview the result by clicking Preview in the top right corner, and simulate a login process (when configuring Google reCAPTCHA, make sure you add gigya.console.com to the list of domains, as noted above) . When using Google, the reCAPTCHA badge should in the preview canvas in the selected position. The CAPTCHA challenge will be triggered in preview mode according to the usual risk analysis calculation.
ReCAPTCHA badge in the bottom right corner in the UI Builder's preview mode
FunCaptcha challenge in the UI Builder's preview mode
If you did not add console.gigya.com to the list of sites in the reCAPTCHA Google settings, the badge will display the following error in preview mode:
CAPTCHA in Multi-Site Settings
In a multi-site setting, CAPTCHA credentials need to be configured individually per site.
The CAPTCHA policy is inherited by default from the parent sites. However, child sites may override this policy configuration.