Login Protection

overview the login api for is used at the time of customer login to prevent unauthorized users from accessing a user's account, conducting malicious activity at the time of login and gaining access to pii, payment data and other account related assets primary use cases there are a number of ways you can utilize the login protection offered by this api the login api can be used to enforce the following scenarios account take over (ato) to prevent incidents where fraudsters use stolen credentials to try and gain access user accounts, to data theft, fraud, and brand damage mfa optimization enhances multi factor authentication (mfa) by reducing friction for legitimate users while strengthening security against fraud credential stuffing & bot protection safeguards accounts from automated attacks where fraudsters use stolen username password pairs to gain unauthorized access credential stuffing exploits reused credentials from data breaches, while bots automate login attempts at scale extended session allows users to stay logged in for a longer period without needing to re authenticate, improving convenience and user experience integration steps front end integration https //docs forter com/front end integration in your dedicated forter portal, you will receive a javascript snippet for both sandbox and production for native mobile apps, you will receive links to download forter's native sdks you'll paste the js script on the appropriate pages of your website or call mobile sdk methods on relevant mobile app screens so that it can load and asynchronously collect important behavioral data from your customer the script or mobileuid generated by the mobile sdk will also generate a unique token for each user on your site that should be included in the account sign up api request body send login request for decision forter's login api https //docs forter com/reference/login can provide a decision to approve a frictionless login or suggest that multi factor auth if suspicious activity is detected because of load considerations (bots) forter typically asks to receive only successfully authenticated traffic (password was correct) via the login api login api request primary data points are account id customer's account uid in merchant's site should not be the user email if no account id is available send no account id user input input details submitted by the user required in case forter does not have a full list of merchant account details (typically email) connectioninformation cyber intelligence data to analyze browsing behavior, device and connection quality such as ip address, user agent and data collected via js / mobile sdk loginmethodtype (e g password vs sms) and status (indication of success) or auth token refresh in the case of refreshing an idle user session details of advancedauthenticationmethod is one was used by the merchant (e g mfa was already applied) { "accountid" "e520 ba9a 367 60b", "eventtime" 1415287568000, "connectioninformation" { "customerip" "10 0 0 127", "useragent" "mozilla/5 0 (windows nt 6 1; wow64)", "fortertokencookie" "2315688945984" }, "loginmethodtype" "password", "loginstatus" "success", "channeltype" "web", "userinput" { "inputtype" "email", "email" "john s\@test com" } } login api response the response includes the forter decision and potential recommendations, as well as a correlation id that should be stored and used when the merchant provides additional updates (e g result of mfa if additional verification was recommended) key fields forterdecision the latest forter decision regarding the attempted action said fields may hold one of various options "approve" for approved signup requests, where user should be allowed to register for a new accounts; "decline" for declined signup requests, where user should be declined from registering for new accounts; "verification required" for signup requests, where user should be triggered an additional verification (via email, sms, etc ,; "not reviewed" recommendation a specific recommendation for an action that might help the customer to complete their transaction/action (e g verify phone via sms, verify via push notification, verify email, perform a 3ds check, etc ) correlationid a forter unique identifier that should be sent to forter as part of the advancedauthenticationmethod object to correlate the mfa recommendation given in this response with the relevant additional authentication attempt result { "forterdecision" "approve", "decisionreason" "", "accountid" "e520 ba9a 367 60b", "correlationid" "hgj7512345h3de", "recommendation" "" }{ "forterdecision" "verification required", "decisionreason" "", "accountid" "e520 ba9a 367 60b", "correlationid" "hgj7512345h3de", "recommendation" "email verification", "verificationmethod" { "verificationid" "88yr28r890u", "correlationid" "e520 ba9a 367 60b", "type" "otp email", } } send request to extend user session forter's login api https //docs forter com/reference/login can also be used to extend an idle user's session without requiring password multi factor authentication for legitimate customers resulting in a simplified and frictionless user account experience for legitimate customers the login api can return a binary approve/decline decision that allows you to determine whether a user requesting an extended session should be permitted from accessing the account in a frictionless manner, or should friction in the form of mfa, password be triggered for validation login api request forter can provide a decision to approve a frictionless login or suggest that multi factor auth if suspicious activity is detected because of load considerations (bots) forter typically asks to receive only successfully authenticated traffic (password was correct) via the account login api for full details, please see the login https //docs forter com/reference/login api section for more details primary data points are account id user input (typically email) connectioninformation cyber intelligence data to analyze browsing behavior, device and connection quality such as ip address, user agent and data collected via js / mobile sdk loginmethodtype parameter should be populated with auth token refresh in the case of refreshing an idle user session details of advancedauthenticationmethod is one was used by the merchant (e g mfa was already applied) { "accountid" "e520 ba9a 367 60b", "eventtime" 1415287568000, "connectioninformation" { "customerip" "10 0 0 127", "useragent" "mozilla/5 0 (windows nt 6 1; wow64) applewebkit/537 36 (khtml, like gecko) chrome/47 0 2526 73 safari/537 36", "fortertokencookie" "2315688945984" }, "loginmethodtype" "auth token refresh", "loginstatus" "success", "channeltype" "web", "userinput" { "inputtype" "email", "email" "john s\@test com" } } login api response the response includes the forter decision and potential recommendations, as well as a correlation id that should be stored and used when the merchant provides additional updates (e g result of mfa if additional verification was recommended) { "forterdecision" "approve", "decisionreason" "", "accountid" "e520 ba9a 367 60b", "correlationid" "hgj7512345h3de", } send authentication attempts the authentication result api https //docs forter com/reference/authentication result is used to inform forter of authentication results after an mfa was required by a previous login api request, using the provided correlation id while no decision is provided on this request, it is required in order to ensure optimal customer experience as well as continuously improving the decision model authentication result api request key fields accountid customer's account uid in merchant's site eventtime the time that the trigger event occurred in milliseconds additionalauthenticationmethod correlationid a forter unique identifier that was provided as part of a forter api response recommending additional authentication measures used to correlate between the user action which triggered the recommendation and the authentication attempt result required when the additional authentication was triggered by forter's recommendation additionalauthenticationmethod verificationoutcome may take various forms depending on verification outcome for example additionalauthenticationmethod verificationoutcome is a general authentication result enumerated field with 3 possible values \["success"; "failure"; none attempted] please see the authentication result https //docs forter com/reference/authentication result api reference section for more details { "accountid" "e520 ba9a 367 60b", "eventtime" 1415287568000, "connectioninformation" { "customerip" "10 0 0 127", "useragent" "mozilla/5 0 (windows nt 6 1; wow64) applewebkit/537 36 (khtml, like gecko) chrome/47 0 2526 73 safari/537 36", "fortertokencookie" "2315688945984" }, "channeltype" "web", "additionalauthenticationmethod" { "verificationoutcome" "success", "correlationid" "87363864834", }, } authentication result api response as this api is only used to provide forter's model's additional information, the decision returned will always be "not reviewed" supplementary parameters like correlationid and accountid are also returned in the api response prepare and upload historical data https //docs forter com/historical data to ensure the highest level of accuracy for our decisioning model, forter customizes our model to fit the specific risk profile of each of our customers we achieve this by training the model with your past signup and login data in order to provide you with better accuracy from day 1 complete integration tests https //docs forter com/qa#uk1vi the purpose of forter's integration tests is to make sure that your integration covers all relevant use cases, while still in the sandbox or test environment each use case may need a different combination of attributes and values to make sure you have covered each of the use cases we expect in your integration, please go through the test scenario list in the integration tests section of portal for each, you'll need to create the scenario in your sandbox site that will generate a call to forter's api then, select the corresponding api request that forter received and click run to verify that the sample request meets the criteria deploy to production once the integration tests have passed, and you've reviewed any gaps with a forter implementation engineer please, deploy your code to your production environment, with two critical adjustments replace your site id and secret key with your production credentials https //docs forter com/reference/environments#x fxu update your javascript snippet and mobile sdks to use your production site id and the production hash keys, if relevant please note that this does not yet complete your integration until forter has switched your site to live (after data validation and listen mode), all forter decisions will return "not reviewed" data validation https //docs forter com/qa#qeexu once in production, forter uses a data validation tool to execute a set of automated tests across your live data in aggregation the test outputs are daily reports that validate the accuracy and completeness of the production data we receive from you you can monitor this output in forter portal under integration center tools we recommend checking the report daily to identify any failed tests, which will prevent you from moving forward to listen mode listen mode https //docs forter com/qa#dkxgh in "listen mode", we will monitor the production traffic on your site and calibrate our models before we begin to provide you with decisions this is a critical stage to ensure you meet your kpis, and usually lasts around 7 14 days your implementation engineer will update you on the specific timeline for your integration during this time, forter will continue to return "not reviewed" decisions in the api response go live as forter begins to send decisions and recommendations, confirm that your production site is handling responses as expected