Login Protection

Login Protection

The Identity Protection Account Login API for Account Takeover (ATO) Protection is used at the time of customer login to prevent unauthorized users from accessing a user's account, gaining access to PII payment data, and conducting any other malicious activity at the time of login.

Account Login API Use Cases

The ATO account login protection can also be used to extend an idle user's session without requiring 2-Factor auth for legitimate customers - resulting in a simplified and frictionless user account experience for legitimate customers.

Login Identity Protection Integration

Step 1: Front End Integration

In your dedicated Forter portal, you will receive a JavaScript snippet for both sandbox and production. For native mobile apps, you will receive links to download Forter's Native SDKs. You'll paste the JS script on the appropriate pages of your website or call mobile SDK methods on relevant mobile app screens so that it can load and asynchronously collect important behavioral data from your customer. The script or mobileUID generated by the mobile SDK will also generate a unique token for each user on your site that should be included in the Account Login API Request Body.

Step 2: Account Login API

#### Account Login API Request Forter can provide a decision to approve a frictionless login or suggest that Multi-Factor Auth if suspicious activity is detected.

Because of load considerations (bots) Forter typically asks to receive ONLY successfully authenticated traffic (password was correct) via the Account Login API. For full details, please see the Customer Account Login API Reference section for more details.

Primary Data Points are:

  • Account ID
  • User Input (typically email)
  • ConnectionInformation - Cyber intelligence data to analyze browsing behavior, device and connection quality such as IP address, user agent and data collected via JS / mobile SDK
  • LoginMethodType (e.g. Password vs SMS) and status (indication of success) or AUTH_TOKEN_REFRESH in the case of refreshing an idle user session
  • Details of AdvancedAuthenticationMethod is one was used by the merchant (e.g. MFA was already applied)
{
  "accountId": "e520-ba9a-367-60b",
  "eventTime": 1415287568000,
  "connectionInformation": {
    "customerIP": "10.0.0.127",
    "userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64)",
    "forterTokenCookie": "2315688945984"
  },
  "loginMethodType": "PASSWORD",
  "loginStatus": "SUCCESS",
  "channelType": "WEB",
  "userInput": {
    "inputType": "EMAIL",
    "email": "[email protected]"
  }
}

Account Login API Response

The Account Login API response includes the Forter decision and potential recommendations, as well as a correlation ID that should be stored and used when the merchant provides additional updates (e.g. result of MFA if additional verification was recommended).

{
  "forterDecision": "APPROVE",
  "decisionReason": "",
  "accountId": "e520-ba9a-367-60b",
  "correlationId": "HGJ7512345H3DE",
  "recommendations": [
      "SEND_OTP_CODE"
  ]
}

Step 3: Authentication Attempt API

The Forter Authentication Attempt API is called after the Account Profile Access or Account Login APIs, because its role is to provide Forter with the results of the additional authentication carried out after an attempt at login or profile access has been made. Types of additional authentication include multi-factor authentication, one time passwords, and payment method verification.

Whether or not the user can pass the challenge is very important data in protecting your customers’ accounts. The Account Authentication Attempt API is used to provide Forter with the results of the additional authentication for account login.

Rather, the response will always be "NOT_REVIEWED" Please see the Authentication Attempt API Reference for more details.

Authentication Attempt API Request
The Authentication Attempt API provides Forter with more information about the customer verification. Forter can update its evaluation of the customer and provide you with appropriate decision updates (e.g. Forer might recommend to approve the customer if the verification succeeded, or suggest an alternative form of authentication if it failed).

The primary data points needed for the Account Authentication Attempt API are:

accountID
AdvancedAuthenticationMethod which contains information about the method of authentication done (email, phone, etc..),
correlation ID that was provided in the Login / Profile Access API response and is used to link the authentication attempt data to the original event that was decisioned.

Authentication Attempt API Response
As this API is only used to provide Forter's model's additional information, the decision returned will always be "NOT_REVIEWED". Supplementary parameters like correlationId and accountId are also returned in the API response.