Authsignal’s rules builder allows you to create powerful rules that can target specific users based on a range of conditions. In this guide, we will create a rule that targets high-risk users and challenges them when they attempt to sign in.

Start by going to your signIn action and clicking on the Rules tab. Then click Create rule and call it Challenge "high-risk" users, then click Continue.

We will determine a user as ‘high-risk’ if they meet any of the following conditions:

  1. Are detected as being a bot
  2. Are on a new device
  3. Are using an anonymous IP address

To add these conditions, click Add feature below and click on Select feature. Choose the Device category and select the Device is new feature. Repeat this process for the Device is a bot feature (in the Device category) and for the IP is anonymous feature (in the IP/Network category).

Now change the conjunction logic from AND to OR so that the rule will be triggered if any of the conditions are met.

You should now see three conditions for your new rule.

Click Save and return to the Rules page for your signIn action. You should see your new rule listed.

Finally, head to the Settings tab and change the default outcome of the signIn action to ALLOW and click Save. This means that if a user does not trigger our newly created Challenge "high-risk" users rule, they will be allowed to proceed without a challenge.

Additional track input

Now that we have created our rule, we need to update our track action call to include some additional fields: deviceId, ipAddress, and userAgent.

You can use our Web SDK to easily grab the anonymousId that can be used as the deviceId field.

Node.js
import requestIp from "request-ip";

const result = await authsignal.track({
  action: "signIn",
  userId: "test_user",
  deviceId: req.body.deviceId, // `deviceId` sent from the client
  userAgent: req.headers["user-agent"],
  ipAddress: requestIp.getClientIp(req) ?? undefined,
});

Testing rules

Now that we have updated our track action call, let’s verify everything is working as expected. For convenience, Authsignal provides a Track a test action feature that we can use to test our rules.

Go to the Latest activity section of the signIn action and you should see a Track a test action button.

Click the Track a test action button and a dialog will pop up where we can provide some test data. Let’s change the userId to test_user and ipAddress to a known anonymous IP address, for example 8.8.8.8.

Finally, click Track action and you will see a breakdown of the action response.

Interestingly, despite our “Challenge “high-risk” users” rule being triggered, the action state is Allowed.

The outcome of our rule was ignored because the user test_user is not enrolled (they have no enrolled authenticators). Authsignal will only challenge users that have at least one authenticator enrolled.

As the user is not enrolled, the url will instead take a user to the authenticator enrollment flow.

Let’s enroll the user we used in our test action by clicking the Redirect flow URL link and add an authenticator through the pre-built UI.

Now, track another test action with the data we used previously. This time you should see that the action state is Challenge required.

Our rule is now behaving as expected and our test user has been challenged because they are using an anonymous IP address.

You can see a full breakdown of a user action by clicking the 'View details' link in the latest activity table.

Next steps

Was this page helpful?

Restricting authenticatorsUsing your own data points