Risk Evaluation-Based Flows

Advanced Authentication Service › Advanced Authentication Flows › Advanced Authentication Flows › Risk Evaluation-Based Flows

Risk Evaluation-Based Flows

The Advanced Authentication service provides real-time protection against fraud in online transactions. When an end user tries to access a protected resource, the Advanced Authentication service can gather data about the end user and the device being used, evaluate the risk from the incoming request, generates a risk score, and provide the relevant authentication advice. If the advice suggests increased authentication, the end user’s identity can be validated using security questions or OTP-based secondary authentication.

This section describes the following Risk evaluation-based flows:

ArcotID PKI with Risk and ArcotID OTP with Risk

This section discusses the following flows:

ArcotID PKI with Risk Flow
ArcotID OTP with Risk Flow

In these flows, when an end user attempts to access a protected resource, they first authenticate themselves using the ArcotID PKI, or ArcotID OTP credential and are then assessed for potential risks.

Prerequisites:

This flow is based on the following configurations:

The hosting administrator has enabled the Risk Evaluation credential type, and configured the ArcotID PKI with Risk flow, or the ArcotID OTP with Risk flow.
The hosting administrator has configured multiple secondary authentication mechanisms.
The hosting administrator has configured SiteMinder to protect the resource with one of the authentication schemes corresponding to the advanced authentication flow that was configured.

The Flow:

In a browser window, the end user attempts to access a protected resource.
On the login page, the end user is prompted for the following information:
- If ArcotID PKI is used, then the user name and LDAP password.
- If ArcotID OTP is used, then the user name and OTP.
  In this case, the end user generates an OTP using their ArcotID OTP application and uses that OTP for authentication.
The end user enters their user name and password or OTP and clicks Submit.
If the authentication is successful, then the Advanced Authentication application analyzes the risk associated with the login attempt as follows:
1. The Advanced Authentication application looks up tenant flow configuration information and returns a page containing a DeviceDNA script with the tenant’s preferences passed in.
2. The script running in the browser collects the DeviceID information from the cookie, extracts the DeviceDNA data according to the tenant’s configuration setting, and posts the results to the Advanced Authentication application.
3. The Advanced Authentication application validates the DeviceID and DeviceDNA with the Advanced Authentication Server.
4. If the Advanced Authentication Server returns a DENY advice, then:
  - The Advanced Authentication application displays an error message indicating that the authentication failed.
  - The Advanced Authentication application updates the token in AADS with the status indicating that the authentication failed, user message, risk score and other transaction state as required.
5. If the Advanced Authentication Server returns an ALLOW advice, then the Advanced Authentication application updates the token in AADS indicating successful authentication, risk score, and other transaction state as required.
  The user is allowed to access the protected resource.
6. If the Advanced Authentication Server returns an Increased Authentication advice, then secondary authentication is performed as described in ArcotID PKI Roaming Flow or ArcotID OTP Roaming Flow.
7. If authentication is successful, then the Advanced Authentication application creates a token in AADS indicating successful authentication, risk score, and other transaction state as required.
  If the end user fails the secondary authentication challenge, then the Advanced Authentication application updates the token in AADS indicating failed authentication status, user message, risk score, and other transaction state as required.