We have a use case where we need to protect a login/sign up endpoint from bad actor. This endpoint is expensive for us, because we need to send a One Time Password (OTP) to the submitted number.
A few prevention already in place, such as:
- IP rate limiting
- Phone number prefix check. They usually call the endpoint with number in sequence.
- Only enable "Resend" button in the mobile app after 60 seconds & gradually increase.
This bad actors still find a way to pass our check. We want to introduce captcha challenge on our mobile app. reCAPTCHA v3 looks promising since it does not sacrifice user experience on the app.
Our app is written in react native & need to support both iOS & Android. So we must integrate it to our app by calling WebView.
Is this captcha effective enough to detect BOT, since there is not much interaction in the web view?