Implementing risk-based authentication with rules
Step-by-step guide to creating intelligent authentication flows that automatically challenge high-risk users while allowing trusted users to access your application seamlessly.
Authsignal’s rules builder allows you to create powerful rules that can target specific users based on a range of conditions.
In this guide, we will create a rule that targets high-risk users and challenges them when they attempt to sign in.
Start by going to your signIn
action and clicking on the Rules tab. Then click Create rule and
call it Challenge "high-risk" users
, then click Continue.
We will determine a user as ‘high-risk’ if they meet any of the following conditions:
- Are detected as being a bot
- Are on a new device
- Are using an anonymous IP address
To add these conditions, click Add feature below and click on Select feature. Choose the Device category and select the Device is new feature. Repeat this process for the Device is a bot feature (in the Device category) and for the IP is anonymous feature (in the IP/Network category).
Now change the conjunction logic from AND
to OR
so that the rule will be triggered if any of the conditions are met.
You should now see three conditions for your new rule.
Click Save and return to the Rules page for your signIn
action. You should see your new rule listed.
Finally, head to the Settings tab and change the default outcome of the signIn
action to ALLOW
and click Save.
This means that if a user does not trigger our newly created Challenge "high-risk" users
rule, they will be allowed to proceed without a challenge.
Additional track input
Now that we have created our rule, we need to update our track action call to include some additional fields: deviceId
, ipAddress
, and userAgent
.
How you collect these fields depends on your application, but if you are using the Authsignal Web SDK, you can use the __as_aid
cookie that is
created on the client as the deviceId
.