Managing the HID Risk Management Solution

The HID Risk Management Solution (RMS) is a fraud and threat detection solution, designed with a modern fraud schemes and attack types in mind. It is based on device fingerprinting and transparent user identification technologies. It uses advanced techniques to establish a unique device fingerprint based on the device location, browser, and system hardware details.

The HID RMS uses obfuscated JavaScript code that is embedded within the relying-party's web application to retrieve information about the end user's system, to establish a device fingerprint, study the way users interact with the application, analyze and then, finally, produce a risk score.

This information is given a unique ID so when the relying-party’s application calls the HID Authentication Service, it can retrieve a risk score associated with the authentication attempt.

The HID Authentication Service compares this risk score with the pre-configured threshold values to decide how to process the authentication:

  • Reject and block the channel for the end user (very high risk)

  • Only reject (high risk)

  • Ask for a step-up authentication (medium risk)

  • Authorize the request (low risk)

This feature is activated on the HID Authentication Service by adding and configuring an RMS source to an authentication channel (CH_RMS). This ensures that authentications on the designated channel require a RMS Risk Score index retrieval.

RMS JavaScript Snippet

The RMS JavaScript Snippet is a core component ensuring detection of cyber threats and monitoring of users’ activity in the application. This component is to be placed in HTML code (in header of all pages) of the protected applications. The JavaScript snippet is continuously re-obfuscated to ensure that attackers cannot easily reverse engineer the solution.

RMS Server

The HID RMS server is the central point of analysis for the data gathered by the respective JavaScript probes as well as providing a graphical web dashboard for fraud analysts to analyze detection cases.

Risk Score Provider Configuration

The HID RMS source or Risk Score Provider is a configuration details about the threat detection provider to retrieve the risk score details by the HID Authentication Service.

For further information about configuring RMS source endpoints, see the Risk Score Provider REST API.

Solution Workflow

The following diagram illustrates the flow of authentication requests and responses, when an end user authenticates to relying party applications such as banking application, leveraging the HID RMS integration.

The green flow illustrates the step-up authentication using the HID Authentication Service and HID Approve.

  1. The end user submits a logon request to the banking application (relying party).

  2. The banking application web page requests a user data probe using the HID RMS JavaScript.

  3. HID RMS provides the JavaScript and cookies required for the probe on the user’s device.

  4. The HID RMS probe retrieves the user data and returns it to the HID RMS for realtime analysis.

  5. The banking application retrieves the HID RMS cookie from the user’s browser.

  6. The banking application sends an authentication request, including the HID RMS cookie ID, to the HID Authentication Service.

  7. The HID Authentication Service sends the cookie ID to the HID RMS to retrieve the risk score.

  8. The HID RMS returns the risk score.

  9. The HID Authentication Servicee analyses the risk score based on the configured thresholds:

    • If the score is lower than the thresholds, the HID Authentication Service authorizes the authentication request.

    • If the score is higher than one of the thresholds, the HID Authentication Service either:

      • Rejects the request (only)

      • Rejects the request and blocks the channel for the end user

      • Asks for a step-up authentication (for example, push-based validation)

  10. The HID Authentication Service sends the response to the banking application.

  11. If the request is authorized, the authenticated user can access the appropriate resources in the banking application.

    Important: A common proxy MUST be used to redirect the different exchanges according to the different URL endpoints.

Integrate with HID RMS

Step Description

1

Adding a new Risk Management Source

An HID RMS Source is required to allow communication between the HID Authentication Service and the RMS provider, using secured account settings.

Note: RMS providers must also allow inbound connections from the:

  • Relying party application’s proxy to allow the PROBE request from the end user’s browser.

  • HID Authentication Service to retrieve the risk score during the authentication workflows.

IP address and port information should be provided at this step. RMS Source access ports should also be defined (for example, 8043 for probe requests, and 8053 for risk retrieval).

See Risk Score Provider REST API.

2

Binding a Risk Management Source for the channel

Binding an RMS Source for channel CH_RMS implies that all authentication requests for this channel must provide valid Risk Management information.

If this information is missing, or if it reveals a potential threat, the authentication process will be impacted.

Important: In addition, if the RMS is unavailable (or cannot be reached), all the authentications on this channel will be rejected.
Note: Threshold values might be adjusted in early deployment steps. Contact HID Global Technical Support for guidance.

3

Integrating the HID RMS Calls in the Relying Party Application

The relying party application must integrate the RMS client configuration.

For example:

  • Include the HID RMS JavaScript snippet in the header of all pages of the protected web application/portal.

  • Make sure RMS cookies are retrieved and included in the authentication requests sent to the Authentication Service.

4

Configuring a Proxy for HID RMS

The HID RMS tag in the end user's browser only uses the relying party application host defined in the authentication page URL.

Therefore, a common proxy MUST be used to redirect the different exchanges according to the different URL endpoints.

Redirect URLs should be configured in the proxy property files, refer the below table with a sample configured Redirect URLs and its location:

  • /public/scripts/ib.js - https://<HIDRMSServerhost&port>/application/ib/get-js

    For example, https://threatmark.com:8043/application/ib/get-js

  • /auth/ib-session - https://<HIDRMSServerhost&port>/application/ib/probe-request

    For example, https:// threatmark.com:8043/application/ib/probe-request

Error Codes and Messages

Reason Code Description

REASON_THRESHOLD_STEP-UP_REACHED

51

Step-up authentication required

REASON_THRESHOLD_REJECT_REACHED

52

Risk score is too high - score exceeds the configured rejection threshold

REASON_THRESHOLD_BLOCK_REACHED

53

Risk score is too high, this channel is now blocked for the user - score exceeds the configured rejection threshold

REASON_AUTH_SCORE_NOT_RETRIEVED

54

Risk score cannot be retrieved

REASON_AUTHENTICATOR_NOT_ALLOWED

55

Authentication policy is not allowed by the configuration

REASON_STEP-UP_SESSIONTRANSFER_NOT_FOUND

56

Second step authentication: no corresponding session transfer has been found - Step-up authentication cannot be performed

REASON_STEP-UP_USER_NOT_MATCH

57

Second step authentication: user does not match the first authentication user

REASON_MISSING_RMS_PARAMETERS

58

Some required parameters are missing from the request

The error code is provided in the JSON:

Copy 
{
    "hid_failure":    
    {
        "reason": 51,
        "context":       {
            "TM_AUTHENTICATION_TYPE_LIST": "AT_PASA",
            "TM_ACTION_ID": "4481",
            "LEVEL_OF_ASSURANCE": "1",
            "RMS_DETAILS": "eyJhbGciOiJub25lIn0.eyJzZXNzaW9uIjpic3RhbmRhbG9uZV9zawiZGV0ZWN0aW9ucyI6W119LCJ0YWdzIjpbXX0.",
            "TM_SESSION_TRANSFER": "BjA4Tl2OxjEj7vKMxgQqgLanBs"
        },
        "authType": "AT_STDPWD"
    },
    "error_description": "Invalid grant: Step-up authentication required",
    "error": "invalid_grant"
}

HID RMS OpenID Calls

This section provides detailed examples of OpenID requests for the HID RMS.

Prerequisites:  

  • Configure a channel CH_RMS with HID RMS.

  • Create a system user with static login authenticator (for example, use spl-api and create a System Static Login authenticator with the password as password01).

For further information about the OpenID request, see Integrating the HID Authentication Service APIs.

Note: In the following examples, the exchanges include RMSINFO (in POST) and RMSDETAILS (in response) where:

  • They are in a plain JWT format

  • JWT can be converted online to access content details

  • The JWT content is specific to the RMS Provider

When integrating with ThreatMark™ as a RMS provider, the content of the JWT are JSONs containing the following items:

RMSINFO (Decoded)

Content

Step 1:

  • TM_CLIENT_IP containing the client IP

  • TM_SESSION_SID containing value from the generated RMS cookie named "TS01d4cc80"

  • TM_DEVICE_TAG containing value from the generated RMS cookie named "C8hDRqP6KY"

  • TM_APP_SESSION_ID is a mandatory field which contains a session ID (length 128, string value) issued by the Banking application's back-end system. This identifier has to be persistent throughout the whole session.

  • TM_ENVIRONMENT_ID containing the identification of the environment in which the application is running.

    For example, production, test environment, etc. can be set for each request by end-user application using parameter "TM_ENVIRONMENT_ID". If not, the default value from server is "Production".

  • TM_APP_DEVICE_ID can set the device ID for each request by the end-user application. If not, the default value from server is the id of the used device, if applicable.

  • TM_APP_USER_ALIAS can set the user ID for each request by the end-user application. If not, app_user_id is the default value.

Also for Step 2:

  • "TM_SESSION_TRANSFER" is the value of TM_SESSION_TRANSFER on the first step call.

Example

{"TM_SESSION_SID":"rYFcm65pkhoawGRFgN1URNXYHl3QAplH","TM_CLIENT_IP":"10.16.71.79","TM_DEVICE_TAG":"0OenNqAdlQ3apoVfHhdrbngavX4Uj3PT","TM_APP_SESSION_ID":"abc12345","TM_ENVIRONMENT_ID":"Production","TM_APP_DEVICE_ID":"D1234","TM_APP_USER_ALIAS":"User Name"}
RMS_DETAILS (Decoded)

Content

Provides the complete score explanation and the reasons for a high score.

Example
Copy 
{
            "session":{
                        "score":688,
                        "standalone_signals":[
                                    {"id":4426,"type":"PHISHING_PROBE_LOAD"},
                                    {"id":4427,"type":"NEW_USER_DEVICE"},
                                    {"id":4430,"type":"NEW_USER_LANGUAGE"}
                        ],
                        "detections":[]
            },
            "action":{
                        "score":0,
                        "standalone_signals":[],
                        "detections":[]
            },
            "risk":897,
            "device":{
                        "score":99,
                        "standalone_signals":[
                                    {"id":4429,"type":"UNKNOWN_WEBINJECT"},
                                    {"id":4437,"type":"UNKNOWN_WEBINJECT"},
                                    {"id":4450,"type":"UNKNOWN_WEBINJECT"}
                        ],
                        "detections":[]
            },
            "user":{
                        "score":110,
                        "standalone_signals":[],
                        "detections":[]
            },
            "tags":[]
}

Static Password Authentication (No Step-up Authentication)

Copy 
POST https://myserver/idp/ONLINEBANK/authn/token
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF

grant_type=password&username=testp1&password=activcard2018&context=RMSINFO:eyJhbGciOiJub25lIn0.eyJUTV9TRVNTSU9OX1NJRCI6InJZRm
NtNjVwa2hvYXdHUkZnTjFVUk5YWUhsM1FBcGxIIiwiVE1fQ0xJRU5UX0lQIjoiMTAuMTYuNzEuNzkiLCJUTV9ERVZJQ0VfVEFHIjoiME9lbk5xQWRsUTNhcG9WZkhoZHJibmdhdlg0VWozUFQifQ.:false
Copy

Response

HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8
{
    "access_token":"TXvBKAAAAWd5AGiHxQ\/X8RV\/IIrAug4yr9Jhuzqu",
    "context":{
        "TM_ACTION_ID":"4454",
        "LEVEL_OF_ASSURANCE":"1",
        "RMS_DETAILS":"eyJhbGciOiJub25lIn0.e…",
        "token_type":"Bearer",
        "expires_in":3600
    }
}

Static Password Authentication with an OTP Step-up

Note: In the example below, TM_AUTHENTICATION_TYPE_LIST shows the step-up policies that are available (for example, AT_EMPOTP, AT_PASA).

The step up will happen if the risk score returned by the first authentication exceeds the configured threshold.

In that case, the HID Authentication Service will return an error when performing the password authentication, and will force the client to use a second authentication policy.

First step is the same as before - a simple password authentication

Copy 
POST https://myserver/idp/ONLINEBANK/authn/token
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF

grant_type=password&username=testp1&password=activcard2018&context=RMSINFO:eyJhbGciOiJub25lIn0.eyJUTV9TRVNTSU9OX1NJRCI6InJZRm
NtNjVwa2hvYXdHUkZnTjFVUk5YWUhsM1FBcGxIIiwiVE1fQ0xJRU5UX0lQIjoiMTAuMTYuNzEuNzkiLCJUTV9ERVZJQ0VfVEFHIjoiME9lbk5xQWRsUTNhcG9WZkhoZHJibmdhdlg0VWozUFQifQ.:false

The response contains an error message explicitly asking the user to use a second authentication policy: 

Copy 
HTTP/1.1 400 Bad Request
{
    "hid_failure":{
        "reason":51,
        "context":{
            "TM_AUTHENTICATION_TYPE_LIST":"AT_EMPOTP,AT_PASA",
            "TM_ACTION_ID":"4464",
            "LEVEL_OF_ASSURANCE":"1",
            "RMS_DETAILS":"eyJhbGciOiJub25lIn0.e…",
            "TM_SESSION_TRANSFER":"hb4dGrRnmXN7xC9pVBH6e6XOCggneOLhDwRYagsA"
        },
        "authType":"AT_CUSTPW"
    },
    "error_description":"Invalid grant: Step-up authentication required",
    "error":"invalid_grant"
}

The second step is to select one of the authentication policies configured as the second factor. In the example, we will be using "AT_EMPOTP" (OTP authentication using the HID Approve app).

The "TM_SESSION_TRANSFER" value from the step 1 response should be part of the RMSINFO base64-encoded JSON value.

Copy 
POST https://myserver/idp/ONLINEBANK/authn/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF6gyf
grant_type=password&username=testp1&password=662122&authType=AT_EMPOTP&mode=SYNCHRONOUS&context=RMSINFO:eyJhbGciOiJub25lIn0.eyJUTV9TRVNTSU9OX1NJRCI6InJZRmNtNjVwa2hvYXdHUkZnTjFVUk5YWUhsM1FBcGxIIiwiVE1fQ0xJR
U5UX0lQIjoiMTAuMTYuNzEuNzkiLCJUTV9TRVNTSU9OX1RSQU5TRkVSIjoiaGI0ZEdyUm5tWE43eEM5cFZCSDZlNlhPQ2dnbmVPTGhEd1JZYWdzQSIsIlRNX0RFVklDRV9UQUciOiIwT2VuTnFBZGxRM2Fwb1ZmSGhkcmJuZ2F2WDRVajNQVCJ9.:false

After using the second factor, the HID Authentication Service is approves the authentication request and sends the bearer token to the user: 

Copy 
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
    "access_token":"TXvBKAAAAWd5UCD78H5sKTurkzygh6kMhyA7\/XyL",
    "context":{
        "TM_ACTION_ID":"4465",
        "RMS_DETAILS":"eyJhbGciOiJub25lIn0.e…",
        "token_type":"Bearer",
        "expires_in":86400
    }
}