User risk API

Captchas are often disliked due to their inconvenience, but they play a crucial role in distinguishing genuine human users from potentially malicious bots. We rely on captchas to protect our online assets, such as enabling comments, subscriptions, and online orders.

To enhance the user experience, we can skip the captcha test if we determine that the visitor's IP address has a good reputation as a genuine mobile or desktop user.

This is where the User Risk API comes in. It assesses the risk level associated with an IP address and provides a simplified version of the more comprehensive Hazard Report API .

When querying an IP address, the API categorises its risk level as low, moderate, or high.

A low-risk response indicates that the IP address has passed security checks and is relatively safe. If the protected resource is not highly critical and some false positives can be tolerated, we may choose to skip the captcha, resulting in an improved user experience.

A moderate risk classification suggests that the queried IP address may be associated with a hosting environment, VPN, or proxy. These factors introduce a moderate level of risk, implying that the IP address might be used for suspicious activities or anonymisation. In such cases, it is recommended to present a captcha challenge to the user.

A high-risk level indicates a more significant potential threat. This classification can occur for various reasons. The IP address might be blocklisted, indicating it is a known source of malicious activity and should be restricted from accessing specific resources. The API may detect usage of the Tor network, which is commonly associated with anonymous and potentially harmful actions. Alternatively, the IP address might be categorised as "bogon" or unreachable, suggesting a misconfiguration or suspicious activity within its address space. In such instances, it may be advisable to drop the connection and deny access.

In summary, the User Risk API is particularly useful for creating a less intrusive captcha solution, especially when safeguarding non-critical resources. By leveraging the risk level provided by the API, you can implement adaptive security measures that strike a balance between security and user experience. More stringent authentication or verification methods should be employed only for high-risk IP addresses.