The ESA account security feature uses AI and machine learning to detect account takeover (ATO) attacks. It effectively protects against credential stuffing, brute-force attacks, phishing, and malware theft.
What is an ATO attack
Account takeover (ATO) is a type of identity fraud where an attacker steals a user's login credentials, such as a username and password, to gain control of their online account.
The ESA account security feature uses AI and machine learning to detect anomalous login behavior and protect against the following types of attacks:
Credential stuffing: Using username and password combinations leaked from other websites to attempt logins.
Brute-force attack: Trying a large number of password combinations to crack an account.
Phishing: Tricking users into revealing their login credentials.
Malware theft: Stealing user login information through malicious software.
This feature is available only in the Enterprise Edition. To use this feature, contact your business manager to purchase and enable it.
How it works
The ESA account security feature detects and protects against ATO attacks in the following ways:
Detection metrics
ESA monitors and analyzes the following metrics:
Detection metric | Description |
Login failure rate | Monitors the number and rate of failed login attempts from a specific source. |
Login attempt frequency | Detects unusually high-frequency login attempts. |
Device fingerprint changes | Identifies access to an account from multiple devices or geographic locations. |
Behavioral anomalies | Uses an AI model to identify login behaviors that deviate from normal patterns. |
Risk scoring
The system calculates a risk score (from 0 to 100) for each login or registration request:
Low risk: 0–30 (default). Indicates normal traffic, which is allowed to pass.
Medium risk: 31–60 (default). Indicates suspicious traffic. The recommended action is to Monitor or issue a challenge, such as a JS Challenge or Slider Challenge.
Medium-high risk: 61–80 (default). Indicates suspicious traffic. The recommended action is to issue a challenge, such as a JS Challenge or Slider Challenge.
High risk: 81–100 (default). Indicates high-confidence threats. The recommended action is to Block the request.
ESA dynamically adjusts detection thresholds based on your site's normal traffic patterns to reduce false positives.
Configure account security
Prerequisites
You have subscribed to ESA Enterprise.
You have added and connected your site to ESA.
Step 1: Add login endpoint
Define the API endpoints used for login. The system then uses this configuration to automatically extract account information, assess risks, and protect user accounts.
On the ESA console, choose Site Management. In the Website column, click the target site.
In the left-side navigation pane, choose .
On the Account Security page, on the Account API tab, click Add. Configure the login API endpoint parameters, and then click OK:
Request Method: Supports GET, POST, PUT, PATCH, HEAD, and DELETE.
Hostname: Select the host record for the login feature, such as
login.example.com.Path: Enter the path for the login feature, such as
/login-in.Other Matching Fields: Specify additional matching conditions using AND logic. For example,
Header my-header Equals test.Account Extraction Location: Specify where to extract account information, such as
Body Parameter $.username.Login Success Conditions: Defines the condition for a successful login, such as
Status Code Equals 200.Login Failure Conditions: Defines the condition for a failed login, such as
Status Code Equals One Of 403 413 423.
Step 2: Create protection rule
Create protection rules that apply specific actions (such as block or challenge) to requests based on their risk level.
On the Account Security page, click the Protection Rules tab, and then click Add Rule.
Select the account API to protect, define the corresponding actions, and then click OK:
Rule Name: Enter a custom name for the rule, such as
login-protection-high-risk-block.Account API: Select the API that you added in Step 1.
Submit:
Mitigation Policy: Select the protection policy to apply. You can also add a custom policy.
Protection Action: Configure actions for different risk levels, including Medium Risk Action, Action for Medium-to-High Risk, and High-Risk Action.
The following table describes the available actions.
Actions | Description | Use case |
Monitor | Logs the request without blocking it. | Initial observation and testing phase. |
JS Challenge | ESA returns a piece of JavaScript code to the client that a standard browser can automatically execute. If the client executes the code successfully, ESA allows all subsequent requests from that client to pass for a set period (default: 30 minutes) without further verification. Otherwise, the request is blocked. | Medium-risk traffic where manual verification is acceptable. |
Slider Challenge | ESA returns a slider puzzle page to the client. If the client successfully solves the puzzle, ESA allows all subsequent requests from that client to pass for a set period (default: 30 minutes). Otherwise, the request is blocked. | Recommended for medium-risk traffic. |
Block | Rejects the request directly. | High-risk traffic. |
Step 3: Fine-tune settings (optional)
If you need more granular control over the risk scoring strategy, you can configure a protection policy:
On the Account Security page, click the Protection Policies tab, and then click Create Policy.
Configure custom risk level ranges, and then click OK:
Policy Name: Enter a custom name for the policy, such as
strict-protection-policy.Define Risk Level Scores: Fine-tune the score ranges for the four risk levels: Low Risk, Medium Risk, Medium-High Risk, and High Risk. Changes take effect immediately and can be adjusted at any time.
When using this feature for the first time, we recommend that you keep the default settings.
Monitor your traffic for one to two weeks, and then adjust the settings based on your business needs.
Avoid setting thresholds that are too strict, as this may affect legitimate users.