Post-Login Risk Evaluation Workflow
When a user accesses your online application, you can first log them in and then comprehensively assess them for potential risks by implementing this workflow. This workflow uses device identification information and number of factors, such as network information, user information, and (if implemented) transaction information to evaluate users.
aa813test
2115267
When a user accesses your online application, you can first log them in and then comprehensively assess them for potential risks by implementing this workflow. This workflow uses device identification information and number of factors, such as network information, user information, and (if implemented) transaction information to evaluate users.
Based on the result of the evaluateRisk() function, CA Risk Authentication determines whether to create an association and update the attributes during the postEvaluate() call:
- In case of ALLOW, the user-device association information is updated.
- In case of ALERT and DENY, the user-device association information isnotupdated at all.
- In case of INCREASEAUTH, the user-device association information is updated, but the user association information is createdonly ifthe result of the additional authentication ("Secondary Authentication Workflow") was successful.
If you call CA Risk Authentication’s risk analysis capability after you authenticate a user in to your online application, then the risk evaluation workflow is as follows:
- User logs into your online application.Your system validates if the user exists in your system. If the user is not valid, then your application must take appropriate action.
- Your application collects information required by CA Risk Authentication.At this stage, your application collects information from the user’s system that will be used by CA Risk Authentication for analyzing risk:
- User system informationthat includes operating system, platform, browser information (such as browser language, HTTP header information), locale, and screen settings. Your application uses CA Risk Authentication's Utility Script called CA Risk Authentication-client.js to collect this information.
- Device informationthat includes Device ID, which is stored at the client-end.
- Location informationthat includes IP address and Internet Service Provider related information.
- (Optionally, if you are using additional information)Additional Inputsthat are specific to custom rules or the channel selected.
- Your application calls CA Risk Authentication’s evaluateRisk() function.At this stage, your application must call the evaluateRisk() function in riskfortAPI. In this call, you must pass all the user and device information that you collected in the preceding step to CA Risk Authentication.
- CA Risk Authentication performs risk analysis for the user.CA Risk Authentication evaluates the risk using the incoming inputs and the configured rules. Based on the result of rules that were executed and whether the information matched, CA Risk Authentication generates:
- ALERT, if the information for the user does not exist in the CA Risk Authentication database.
- ALLOW, if the risk score is low.
- DENY, if the risk score is high.
- INCREASEAUTH, if the incoming information is suspicious.
- Your application takes the appropriate action by using CA Risk Authentication’s recommendation.Based on the result of the evaluateRisk() call, your application either allows the user to continue with the transaction, denies them access to the protected resource, or performs secondary authentication.See "Secondary Authentication Workflow" for more information.
- Your application calls CA Risk Authentication’s postEvaluate() function.At this stage, your application must call the postEvaluate() function in riskfortAPI. Based on the output generated by the evaluateRisk() call, this call helps CA Risk Authentication to generate the final advice and update the device and association information.In this call, you must pass the risk score and advice from the evaluateRisk() call, the result of secondary authentication (if the advice in the previous step was INCREASEAUTH), and any association name, if the user specified one.
- CA Risk Authentication updates the device and association information.If any change is detected in the incoming data, CA Risk Authentication updates the data and association information in the CA Risk Authentication database.The following figure illustrates the Post-login risk evaluation workflow.
