External risk engines allow you to assess risk of user activity and incorporate the risk assessment into resource rules. To use this feature, you must configure an external risk engine and add risk assessment rules.
External Risk Engine support for risk-based authentication is only supported for Authentication API applications. A typical use case for which you might want to use an External Risk Engine is to deliver continuous authentication for high-risk transactions. For example:
1. Your end-user logs in to your application with a password authenticator.
2. Your application is integrated with an external risk engine solution, such as Feedzai Digital Trust.
3. Your risk provider profiles your end users and builds a bio profile as the user uses your application.
4. When the user attempts to perform a high-risk transaction (for example, a money transfer or change contact information), you submit a request to IDaaS with your user session identifier.
5. IDaaS risk-based engine calculates the user risk using both internal and external risk factors.
6. Based on the perceived risk, IDaaS returns the second-factor authentication method that your user must answer to complete the transaction.
In this example, the required set up is as follows:
1. Configure your application as required by the External Risk Engine provider.
2. Define in IDaaS your External Risk Engine provider and compose the API call to get the risk information and select the risk factor from the response data returned by the External Risk Engine provider.
3. Create an Authentication API application and create a resource rule with External Risk Engine rules:
● Select External as the first-factor.
● Select None as the second-factor for low risk.
● Select One-Time Password as the second-factor for medium risk.
● Select Mobile Smart Credentials Push or Entrust Soft Token Push for high risk.
4. Configure your application to call the Authentication API (“Query User Authenticators”).
5. Check whether the user is allowed to proceed (no second-factor required) or required to complete additional authentication.
You can configure IDaaS to use the following types of external risk engines:
● Connector-based risk engines