How to Integrate Kount Control Adaptive Authentication

Kount Control and Equifax Secure MFA are separate products that use different techniques to protect end-user accounts. Combined, they provide a powerful adaptive authentication solution – removing friction for users who appear low risk, and adding friction in the form of secondary authentication to users who appear risky.

Follow this document to integrate the products and add adaptive authentication to your website or mobile app.

Components

Before cohesively building an end-to-end solution using these products, review each component and its capabilities:

Kount Control

After your authentication service performs a primary authentication (such as validating a username and password), Kount Control evaluates user behavior, device data, and network anomalies to detect high-risk activity (such as bots, credential stuffing and brute force attacks). This detection is possible by installing an SDK on your website or mobile app, and then hooking into Kount's REST API to determine, in real time, whether a login should be allowed, declined, or challenged with step-up authentication.

As a solo product, Kount Control does not provide step-up authentication. To provide secondary authentication, Equifax Secure MFA and/or Kount Email MFA are required.

Equifax Secure MFA

Equifax Secure MFA sends a hyperlink via short messaging service (SMS) to the end-user's phone number. By opening the link, Equifax Secure MFA verifies that the end-user has clicked the link on the device associated to the mobile number, adding another layer of validation to the end-user's identity.

 

Workflow

Kount Control and Secondary Authentication for End-Users

The primary workflow for authentication is that an end-user attempts to log in (or perform another sensitive operation) and their identity must first be verified before allowing them to proceed.

01_-_Simple_Auth.png

 

In a simple MFA flow, the verification steps are broken into primary and secondary authentication. Examples of primary authentication include providing a username and password, or using biometrics such as a fingerprint or face match. Secondary authentication examples include clicking a hyperlink sent via SMS, or entering a passcode sent via email.

By requiring more than one authentication factor, confidence in the end-user's authenticity increases - since it's less likely that multiple levels of authentication could be compromised at the same time.

02_-_Secondary_Auth.png

Kount Control adds an additional component to the simple MFA flow by reducing friction for legitimate users.  After primary authentication, the Kount Control API is called to determine whether step-up authentication is needed.  If Kount Control indicates that a login should be allowed, the user can be authenticated without a step-up authentication. If Kount Control indicates the login should be challenged, MFA can be invoked.

03_-_Auth_with_Control.png

Equifax Secure MFA and/or Kount Email MFA can perform the Secondary Authentication in this workflow.

The following sections describe the workflow for each product integrated with Kount Control.

For additional Kount Control documentation visit our technical support site: Kount Control Developer Documentation and Kount Control Management Documentation.

Kount Control and Equifax Secure MFA

Follow this section to understand where Secure MFA fits in a workflow with Kount Control.  For full details about integrating Secure MFA, consult the Secure MFA Developer's API Guide (which can be requested from your Kount Solutions Engineer or Account Manager).

An API Reference is available on the Equifax development site (login required): Secure MFA on Equifax Developer Center.

The diagram below shows authentication using Kount Control with Equifax Secure MFA:

04_-_Secure_MFA_with_Control.png

The following steps describe the Kount Control/Equifax Secure MFA sequence at a high level. 

For additional support on steps 1-5 and 12-14, consult the Kount Control documentation. For additional support on steps 6-11, consult the Secure MFA documentation.

  1. Visit Login Screen: The end-user lands on the login screen, either a discreet page or a popover on any given page, etc.  The important part is that the end-user indicates they want to attempt to login, which is when a device data collection must be initiated.
  2. Device Collection: The Device Data Collector (DDC) must run where the login is to be performed.  This helps identify returning end-users and collects data that allows Kount to detect fraud.  You must generate a session ID and provide it to the DDC when the collection happens. The session ID must be used later when interacting with Kount Control to tie the data collection together with the decisioning.
  3. Primary Login: The end-user logs in using a username and password - or any other primary authentication process (face matching, finger-printing, etc.).
  4. Risk Check: While processing the primary login, your system calls the Kount Control /login API endpoint to determine how to proceed - based on the amount of risk indicated by Kount Control.  This sequence assumes a CHALLENGE result, therefore, invoking either Equifax Secure MFA or Kount Email MFA
    Possible results:
    • ALLOW: The end-user should be authenticated without further validation.
    • BLOCK: The end-user should not be authenticated, nor offered further validation.
    • CHALLENGE: The end-user should be challenged with secondary authentication - to increase confidence that they are the legitimate end-user.
  5. Challenge (High Risk): The response in this example sequence is that the end-user should be challenged to prove their validity - indicating to your system to invoke either an SMS or email MFA.
  6. Display Phone # Form (optional): This step is to display a form for the end-user to enter the phone/mobile number registered to their personal account with the service. Requesting the registered mobile number and matching the number against the end-user’s account is another knowledge authentication factor.
  7. Request Dynamic Link: Once you have the phone number to use for validation, invoke the Equifax Secure MFA /authentications/initiate endpoint to initiate sending the SMS containing the dynamic link.
  8. Success Response: The /authentications/initiate endpoint responds with either an error (unable to deliver the SMS due to an invalid mobile number) or a success. This example sequence assumes a success, meaning that Secure MFA was able to deliver the link to the mobile number. At this point, your workflow either needs to prepare to poll for the validation result (the Validate Secure MFA step) or handle when the user clicks the dynamic link (the Click Dynamic Link step). See the Secure MFA Developer API Guide for more details on these options. The diagram above assumes your system polls for the validation result.
  9. Click Dynamic Link: The end-user opens the SMS message containing the dynamic link.
    NOTE: The link expires if it is not clicked within four minutes of the Secure MFA link being sent.
  10. Validate Secure MFA: Your system calls the Secure MFA /authentications/status API endpoint to determine if the user has clicked the link, and then determines the result of the validation. If you are using the polling method, you must continue to poll this endpoint until the link is clicked (you receive a Success response rather than an Error response with the VFP not received error code), or 4 minutes has passed - whichever occurs first.  Once a successful response is received from the Validate Secure MFA, no further polling is required.
  11. Validation Result: Once the link is clicked, the response returns one of four results - each indicate a different risk level. You must determine the right level of risk that is acceptable to your organization.  This example sequence doesn't assume a specific response or a specific outcome decision. 
    Possible results:
    • Green: Device currently connected through cellular network and authenticated by Mobile Network Operator.
    • Yellow: Device currently connected through Wi-Fi and authenticated through Wi-Fi or Fixed VOIP channel.
    • Orange: Device is currently connected through Wi-Fi and is a Non-Fixed VOIP Phone Number.
    • Red: Device currently connected through cellular network and failed authentication by Mobile Network Operator.
  12. Event API: Your system calls the Kount Control /events API endpoint to indicate whether the challenge outcome succeeded or failed, which assists Kount Control in improving its fraud protection decisions in future risk checks.
  13. Add Trusted Device (optional): Your system calls the Kount Control /trusted-device API endpoint to add the device as a trusted device for that user in the Kount Control solution. This should only be done if the Secure MFA check succeeds (recommendation: green or yellow).  Since this device is validated as legitimate, you can make this a trusted device for this end-user to reduce friction for the user's future visits using this device.
  14. Login or Error: If the SMS link is clicked and the validation result is at an acceptable risk level, the end-user can be logged in (authenticated).  If the SMS link is not clicked, or the validation result is unacceptable, the end-user should be presented with an error and given options to try again.

Account Registration and Contact Validation

Before using a phone number or email address for secondary authentication, Kount recommends you validate that the phone number and/or email address belongs to the account owner. The optimal time for validation is during account creation or registration.

You can validate a phone number or email address by sending an OTP or dynamic link that the end-user validates.  Upon successful validation, your system records the data points.

If a phone number or email address was not validated at account registration, you can provide a way in your website or mobile app for the end-user to enable the validation process on their own.  This requires performing an MFA with the solution, and then recording the result.

If you choose to require validation for contact points, you should not use Equifax Secure MFA for end-user validation until you have recorded a validated phone number, and you should not use Kount Email MFA for end-user validation until you have recorded a validated email address.

Was this article helpful?
0 out of 0 found this helpful