CAPTCHA
CAPTCHA protection helps protect your site from spam and abuse, including credential stuffing and login attacks. Piano ID supports two providers: Cloudflare Turnstile and Google reCAPTCHA.
There are several templates where you can use CAPTCHA:
-
Piano ID login confirm page
-
Piano ID initiate a password reset
-
Piano ID register page
-
Piano ID login page
To learn more about whether you need to implement CAPTCHA, please access this page.
For details on how to configure each CAPTCHA type, see our documentation.
Brute force attack prevention
We have implemented Piano ID Login protection for blocking login enumeration attacks. The rate-limiting was applied on Cloudflare's side and therefore we are able to protect Piano ID user accounts. The rate-limiting temporarily blocks an IP after too many login attempts in a certain period.
Currently, the rate-limiting is set in the way that if there are 50 failed requests in 5 minutes, it will block the IP address for 15 minutes. The custom response body is configured to return a Piano ID compatible response in JSON format.
IP-address anonymization
With our IP-address pseudonymization and anonymization mechanisms released on October 11, 2023, we have implemented additional privacy by design features to always better protect personal data we process on behalf of our customers.
-
IP hashing: To meet with the GDPR required appropriate safeguards, we are hashing the full IP addresses displayed within our solutions. This step addresses the concern of displaying personal data within our products.
-
Payment provider communication: We no longer transmit user's IP addresses to payment providers during subsequent transactions.
-
Obfuscated storage: We securely retain user's IP addresses in an obfuscated form which ensures the continued functionality of Reports and User's audit.
-
Raw logs retention: The complete user's IP addresses are stored in raw logs for security purposes and fraudulent investigations, with a defined retention period of one month following our at storage at rest encryption standards.
-
App logs analysis: Obfuscated IP addresses are preserved in app logs for the analysis of potentially fraudulent payment transactions, also with a retention period of one month.
Impact on Current Functionality. As a result of these changes (released on October 11, 2023), user action audits will now display geolocation information instead of the actual IP address without reducing our product's added value and performance.
GDPR deletion and data export by browserID
In compliance with GDPR regulations, we've introduced a process to delete as well as retrieve stored data for unregistered users based on BrowserID. This is crucial, especially for our EU customers. Publishers can send the browserID via this GDPR deletion API endpoint to address any user data erasure requests.
The API endpoint here allows clients to generate a report about any stored data for unregistered users based on a specific browserID. This may serve as a means to provide necessary data to end-users. More details are available here.