Advanced Authentication Service › Getting Started with Advanced Authentication › Information Required to Configure the Advanced Authentication Service › Risk Evaluation-Specific Details

Risk Evaluation-Specific Details

To enable risk evaluation, the required risk evaluation rules must be configured. Some rules are configured with default values when the Advanced Authentication service is installed and set up. The remaining ones are configured by the CA CloudMinder administrator based on the information received from the tenant.

A tenant must provide the following details to configure risk evaluation:

• Whether the cookie that stores risk-related information on the end user's device must be a Flash-based cookie or an HTTP-based cookie.

  Example: HTTP-based cookie

• The maximum number of days after which the HTTP cookie must automatically expire.

  Example: 1 day

• Depending on the risk evaluation rules that a tenant has decided to use, some or all the following information must be provided:
  • Untrusted IP Check: A list or range of IP addresses that the tenant organization does no trust.

    These could be IP addresses that have been the origin of known anonymizer proxies or fraudulent and malicious transactions in the past.

  • Negative Country Check: A negative country list, which comprises all countries from which fraudulent or malicious transactions are known to have originated in the past.
  • Trusted IP/Aggregator Check:
    • A list or range of IP addresses that the tenant organization trusts.

      Transactions that originate from or are routed through these IP addresses are considered low risk. As a result, the Advanced Authentication service bypasses these transactions from risk evaluations and assigns them a low score and the ALLOW advice.

    • A list of trusted aggregator IP addresses.

      Transactions that originate from or are routed through aggregators “trusted” to the organization are considered low-risk. As a result, the Advanced Authentication service bypasses these transactions from risk evaluations and assigns them a low score and the ALLOW advice.

  • User Velocity Check: The number of transactions to evaluate per end user, and the time period inside which to perform risk evaluations.

    Example: 5 end user transactions evaluated in 60 minutes

  • Device Velocity Check: The number of transactions to evaluate per device, and the time period inside which to perform risk evaluations.

    Example: 10 transactions evaluated per device in 60 minutes

  • Zone Hopping Check:
    • The maximum speed (S, in miles per hour) at which a user can physically travel using conventional transport, such as airplanes, cars, and trains.

      If the speed at which a user appears to have moved (in the time frame between two successive transactions) exceeds this pre-configured threshold speed (S), then the Advanced Authentication service considers it a case of zone hopping.

      Example: 500 miles

    • The maximum number of users who can share the same user name.

      This setting enables multiple users (for example, husband and wife) to use the same user name though they might be located in different zones without the fear of being considered risk.

      Example: 1

    • An uncertainty offset to accommodate the variation in the physical location of the IP address from which the transaction originated.

      This value is required as there may be a variation in the location of the IP address provided by ISPs. A user's physical location (geographic latitude and longitude) cannot be determined to a high level of precision by using their public IP address.

      Example: 50 miles

  • Device MFP Match Check: A threshold value for the MFP match.

    The Advanced Authentication service checks whether the match percentage between the input device signature and the corresponding stored device signature is greater than or equal to this threshold value.

    Example: 50