Device Profiling
Overview
This guide will walk you through how to conduct Passive Risk Analysis through Device Profiling with AXN Manage.
📘 Prerequisites
Download the Device Profiling Test Application
Download the Device Profiling Postman Project
Using Device Profiling Test Application
Opening the Test Application will profile your device using JavaScript:
<script
src="https://api.preprod.iddataweb.com/v1/profile/tmx/tags.js?pageid=3&profilingdomain=content.maxconnector.com&org_id=716kkpe1&session_id=12345">
</script>
and generate your Session ID:
Your device was profiled successfully. Your session ID is: 5fb9f50f-7068-468c-a8d2-f0f90581dd0a
IMPORTANT:
It is important that the script runs and completes before your user navigates away from the web page. If your user leaves or is able to move passed the web page before the script finishes running, this can produce inconclusive results.
For example, we recommend that if there is a login or continue button, you should disable it until the script has finished running which on average takes around 3-5 seconds (code sample below).
<html lang="en">
<head>
<script>
// Generate a Random Session ID.
var sessionID = crypto.randomUUID()
// Create an HTML script element.
var profiler = document.createElement("script");
// Set the script's source equal to the Threat Metrix endpoint + your Session ID.
profiler.src = "https://api.iddataweb.com/v1/profile/tmx/tags.js?pageid=3&profilingdomain=content.maxconnector.com&org_id=716kkpe1&session_id=" + sessionID;
// Append the script to the current web page.
document.getElementsByTagName("head")[0].appendChild(profiler);
// Enable your login button after 5 seconds.
setInterval(() => {
document.getElementById('login-button').disabled = false;
document.getElementById('session-id').innerHTML = "Your Session ID is: " + '<b>' + sessionID + '</b>';
}, 5000);
</script>
</head>
<body>
<p id="session-id">Your Session ID is: <b>...loading</b></p>
<button style="width: 250px; height: 30px;" id="login-button" disabled>Login</button>
</body>
</html>
Session ID identifies your profiling session.
It is also used to obtain your device profiling results. It can be any length, but it must be a unique value.
Keep this Session ID on-hand. It will be used in the following step.
Profiling Complete Function
An alternative and safer approach is to use the profilingComplete function. This function is automatically called when the profiling step is complete and allows you to prevent the user from proceeding until the device is fully profiled. Specifically, you can disable the login button or prevent the /slverify API call from firing until the function completes. Here is a code sample:
// Implement a function to reenable the disabled button and call /slverify
function tmx_profiling_complete(session_id)
{
console.log("tmx_profiling_complete called with session_id "+session_id);
// Make login button clickable
document.getElementById('login-button').disabled = false;
// Call /slverify
const url = 'https://api.preprod.iddataweb.com/v1/slverify';
const data = {
"credential": "[email protected]",
"apikey": "your-threatmetrix-apikey",
"userAttributes": [
{
"attributeType": "APSessionID",
"values": {
"apSessionId": "your-unique-session-id"
}
}
]
};
const token = 'YOUR_BEARER_TOKEN_HERE'; // Replace with your actual bearer token
fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${token}`
},
body: JSON.stringify(data)
})
.then(response => response.json())
.then(data => {
console.log('Success:', data);
})
.catch((error) => {
console.error('Error:', error);
});
}
Using the Device Profiling Postman Project
Open the Postman Project. Then, generate an access token using the first request in the collection: Get Token.
This token will allow you to make requests to the AXN Verify API.
To generate an Access Token, use any API Key/Secret pair from ID DataWeb Admin > Workflows.
Place them in Postman under Get Token > Authorization, as Username and Password.
Your response body will contain the property: access_token. This token ensures that your next request is authenticated.
Grab the Session ID you created with your Test Application, and add it to the body of the next request, Get Score, under apSessionId.
Use the Bearer token obtained from the previous step to authenticate your request.
Click SEND, and within milliseconds, you'll receive the results from your Session.
Scroll further, and you'll find the property, policyDecision.
This value expresses a decision (should the transaction proceed, or halt) made from assessing the information gathered from running your Test Application.
If your Device or User Activity was found to be of high-risk (fraud), this output would inform you of any fraudulent activity found, and the transaction (session) would be prevented from proceeding further.
Understanding the results
The results of this API call provide the full risk score of your device.
For a high-level overview of all the results received
For a detailed-look at any one of your result's properties
For more information on policyDecision, and how it relates to your application
Next Steps
See Trust Device to learn how to trust your user post-device profiling.
Updated 6 months ago