I have implemented google repatcha enterprise with the the score based assessment on on a register page. At first on a test website.
Now I wonder what would be a non fraudulent score. If I use my email address I get a score of 0.89. Would it be ok if I assess all scores >= 0.7 as non-fraudulent? What would be a good starting point as a minimum score?
I could log the scores and then compare the values over time. So I may could see what is a good minimum score.
On the recaptcha enterprise website it states: "With low scores, require MFA or email verification to prevent credential stuffing attacks." Where could I set up MFA or email verification? Is there a documentation about it?
Thank you for any recommendations.
When you create an assessment, reCAPTCHA Enterprise provides a score that helps you understand the level of risk posed by user interactions. You can confirm or correct reCAPTCHA Enterprise's assessment later, when your website has more information about user interactions to determine whether they were legitimate or fraudulent. You can send the reCAPTCHA assessment IDs back to Google with the labels LEGITIMATE or FRAUDULENT to confirm or correct the assessment made by reCAPTCHA Enterprise.
Compared to previous versions of reCAPTCHA, reCAPTCHA Enterprise's scoring system now allows for more precise responses. There are 11 levels of scores in reCAPTCHA Enterprise, with values ranging from 0.0 to 1.0. A score of 1.0 indicates that the interaction is low risk and most likely genuine, while a score of 0.0 indicates that it may be fraudulent. Only the following four score levels, out of the 11 levels, are available by default: 0.1, 0.3, 0.7 and 0.9.
To know more about MFA Configuration, please refer to this documentation .