Extending User Session

Extending a User Session

The Account Login API for Account Takeover (ATO) Protection is used at the time of customer login to prevent unauthorized users from extending a user's account session, gaining access to PII payment data, and conducting any other malicious activity at the time of login.

The Account Login API can also be used to extend an idle user's session without requiring multi-factor authentication for legitimate customers - resulting in a simplified and frictionless user account experience for legitimate customers.

Account Login API Use Cases

The Account Login API can return a binary approve/decline decision that allows you to determine whether a user requesting an extended session should be permitted from accessing the account

User Session Extension Integration

Step 1: Front End Integration

In your dedicated Forter portal, you will receive a JavaScript snippet for both sandbox and production. For native mobile apps, you will receive links to download Forter's Native SDKs. You'll paste the JS script on the appropriate pages of your website or call mobile SDK methods on relevant mobile app screens so that it can load and asynchronously collect important behavioral data from your customer. The script or mobileUID generated by the mobile SDK will also generate a unique token for each user on your site that should be included in the Account Login API Request Body.

Step 2: Account Login API

**Account Login API Request** Forter can provide a decision to approve a frictionless login or suggest that Multi-Factor Auth if suspicious activity is detected.

Because of load considerations (bots) Forter typically asks to receive ONLY successfully authenticated traffic (password was correct) via the Account Login API. For full details, please see the Customer Account Login API Reference section for more details.

Primary Data Points are:

  • Account ID
  • User Input (typically email)
  • ConnectionInformation - Cyber intelligence data to analyze browsing behavior, device and connection quality such as IP address, user agent and data collected via JS / mobile SDK
  • LoginMethodType parameter should be populated with AUTH_TOKEN_REFRESH in the case of refreshing an idle user session
  • Details of AdvancedAuthenticationMethod is one was used by the merchant (e.g. MFA was already applied)
  "accountId": "e520-ba9a-367-60b",
  "eventTime": 1415287568000,
  "connectionInformation": {
    "customerIP": "",
    "userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36",
    "forterTokenCookie": "2315688945984"
  "loginMethodType": "AUTH_TOKEN_REFRESH",
  "loginStatus": "SUCCESS",
  "channelType": "WEB",
  "userInput": {
    "inputType": "EMAIL",
    "email": "[email protected]"

Account Login API Response
The Account Login API response includes the Forter decision and potential recommendations, as well as a correlation ID that should be stored and used when the merchant provides additional updates (e.g. result of MFA if additional verification was recommended).

  "forterDecision": "APPROVE",
  "decisionReason": "",
  "accountId": "e520-ba9a-367-60b",
  "correlationId": "HGJ7512345H3DE",
  "recommendations": [