Implementing risk-based authentication with rules

Authsignal’s rules builder allows you to create powerful rules that can target specific users based on a range of conditions.

In this guide, we will create a rule that targets high-risk users and challenges them when they attempt to sign in.

Start by going to your signIn action and clicking on the Rules tab. Then click Create rule and call it Challenge "high-risk" users, then click Continue.

We will determine a user as ‘high-risk’ if they meet any of the following conditions:

1. Are detected as being a bot
2. Are on a new device
3. Are using an anonymous IP address

To add these conditions, click Add feature below and click on Select feature. Choose the Device category and select the Device is new feature. Repeat this process for the Device is a bot feature (in the Device category) and for the IP is anonymous feature (in the IP/Network category).

Now change the conjunction logic from AND to OR so that the rule will be triggered if any of the conditions are met.

You should now see three conditions for your new rule.

Click Save and return to the Rules page for your signIn action. You should see your new rule listed.

Finally, head to the Settings tab and change the default outcome of the signIn action to ALLOW and click Save. This means that if a user does not trigger our newly created Challenge "high-risk" users rule, they will be allowed to proceed without a challenge.

​

Additional track input

Now that we have created our rule, we need to update our track action call to include some additional fields: deviceId, ipAddress, and userAgent.

const request = {
  userId: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
  action: "signIn",
  attributes: {
    deviceId: "<device-id>",
    userAgent: "<user-agent>",
    ipAddress: "<ip-address>",
    redirectUrl: "https://yourapp.com/callback",
  },
};

const response = await authsignal.track(request);

​

Next steps

• Customizing rules with business-specific data
• Testing rules