How WorkOS Radar does rate limiting with device fingerprinting

When attackers target authentication systems, they often use brute force attacks - repeatedly trying different passwords against one account or testing the same credentials across many accounts.

Radar approaches this challenge with a sophisticated system that goes beyond simple rate limiting.

The problem with traditional rate-limiting

Traditional rate limiting is straightforward: block an IP address after X failed attempts. But this approach has serious limitations:

1. Attackers easily bypass IP-based limits by rotating through proxy networks
2. Legitimate users behind shared IPs (corporate networks, VPNs) get blocked unnecessarily
3. Distributed attacks from many IPs slip under per-IP rate limits

This is why Radar takes a different approach, using a hybrid approach that includes device fingerprinting.

Device Fingerprinting: Radar’s key to intelligent rate-limiting

Instead of focusing solely on IP addresses, Radar also identifies clients through device fingerprinting.

This creates a persistent identifier that follows an attacker even when they change IPs.

When a device attempts authentication, Radar analyzes:

• Browser and system characteristics
• Network behavior patterns
• Authentication attempt timing
• Geographic locations

Progressive rate-limiting

Rather than using fixed thresholds, Radar implements progressive rate limiting that becomes stricter as suspicious behavior continues.

Initial authentication attempts proceed normally, but Radar issues challenges or complete blocks as failed attempts accumulate.

The key innovation is that these limits apply to the device fingerprint, not just the IP address.

This means an attacker can't reset their limit by simply switching IPs.

The difference between brute force and normal use

Radar distinguishes between brute force attempts and legitimate authentication failures by analyzing patterns:

• Are failures happening at machine speed or human speed?
• Are attempts coming from locations that make sense for the user?
• Does the timing pattern match automated behavior?
• Are similar patterns happening across multiple accounts?

This context helps Radar separate actual attacks from users who just forgot their password.

Keeping services available during attacks

One of Radar's key innovations is maintaining service availability during brute force attacks. When an attack is detected:

1. The specific device fingerprint gets restricted
2. Other clients continue to have normal access
3. Legitimate users from the same IP ranges aren't affected
4. The application stays fully functional for everyone else

This targeted response means that legitimate users can still authenticate normally, even during an active attack.

Real-time detection and response

The system works in real-time, evaluating each authentication attempt as it happens:

1. An authentication attempt arrives
2. Radar checks the device fingerprint against known patterns
3. It evaluates recent activity from this device
4. Based on the pattern, it decides whether to allow, challenge, or block
5. The decision gets logged for pattern analysis

This immediate evaluation means attacks get caught and stopped in their earliest stages.

Beyond simple blocking: handling attempts according to your needs

When Radar detects brute force attempts, it can take several actions:

• Block the authentication attempt entirely
• Challenge suspicious attempts with email verification
• Notify administrators about the attack pattern
• Log detailed forensic data about the attempt

These options give you flexibility in how you handle potential attacks.

Try WorkOS Radar today

Radar's approach to rate limiting and brute force protection represents a fundamental shift from traditional methods.

Using device fingerprinting and progressive rate limiting stops attacks more effectively while reducing false positives.

Most importantly, it keeps applications accessible to legitimate users even when attacked.

‍Sign up for WorkOS and try Radar today.