Guides

Device Profiling

Overview

This guide will walk you through how to conduct Passive Risk Analysis through Device Profiling with AXN Manage.

📘 Prerequisites

Download the Device Profiling Test Application

Download the Device Profiling Postman Project

Using Device Profiling Test Application

Opening the Test Application will profile your device using JavaScript:

<script
src="https://api.preprod.iddataweb.com/v1/profile/tmx/tags.js?pageid=3&profilingdomain=content.maxconnector.com&org_id=716kkpe1&session_id=12345">
</script>

and generate your Session ID:

Your device was profiled successfully. Your session ID is: 5fb9f50f-7068-468c-a8d2-f0f90581dd0a

🚧

IMPORTANT:

It is important that the script runs and completes before your user navigates away from the web page. If your user leaves or is able to move passed the web page before the script finishes running, this can produce inconclusive results.

For example, we recommend that if there is a login or continue button, you should disable it until the script has finished running which on average takes around 3-5 seconds (code sample below).

<html lang="en">
  <head>
    <script>

    // Generate a Random Session ID.
    var sessionID = crypto.randomUUID()

    // Create an HTML script element.
    var profiler = document.createElement("script");

    // Set the script's source equal to the Threat Metrix endpoint + your Session ID.
        profiler.src = "https://api.iddataweb.com/v1/profile/tmx/tags.js?pageid=3&profilingdomain=content.maxconnector.com&org_id=716kkpe1&session_id=" + sessionID;
    // Append the script to the current web page.
    document.getElementsByTagName("head")[0].appendChild(profiler);

    // Enable your login button after 5 seconds.
    setInterval(() => {
      document.getElementById('login-button').disabled = false;
      document.getElementById('session-id').innerHTML = "Your Session ID is: " + '<b>' + sessionID + '</b>';
    }, 5000);

    </script>
  </head>
  <body>
    <p id="session-id">Your Session ID is: <b>...loading</b></p>
    <button style="width: 250px; height: 30px;" id="login-button" disabled>Login</button>
  </body>
  </html>

📘

Session ID identifies your profiling session.

It is also used to obtain your device profiling results. It can be any length, but it must be a unique value.

Keep this Session ID on-hand. It will be used in the following step.

Profiling Complete Function

An alternative and safer approach is to use the profilingComplete function. This function is automatically called when the profiling step is complete and allows you to prevent the user from proceeding until the device is fully profiled. Specifically, you can disable the login button or prevent the /slverify API call from firing until the function completes. Here is a code sample:

// Implement a function to reenable the disabled button and call /slverify
function tmx_profiling_complete(session_id)
{
    console.log("tmx_profiling_complete called with session_id "+session_id);

    // Make login button clickable
	  document.getElementById('login-button').disabled = false;
  
  	// Call /slverify
const url = 'https://api.preprod.iddataweb.com/v1/slverify';
const data = {
   "credential": "[email protected]",
   "apikey": "your-threatmetrix-apikey",
   "userAttributes": [
      {
         "attributeType": "APSessionID",
         "values": {
            "apSessionId": "your-unique-session-id"
         }
      }
   ]
};

const token = 'YOUR_BEARER_TOKEN_HERE'; // Replace with your actual bearer token

fetch(url, {
   method: 'POST',
   headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${token}`
   },
   body: JSON.stringify(data)
})
.then(response => response.json())
.then(data => {
   console.log('Success:', data);
})
.catch((error) => {
   console.error('Error:', error);
});

}

Using the Device Profiling Postman Project

Open the Postman Project. Then, generate an access token using the first request in the collection: Get Token.

This token will allow you to make requests to the AXN Verify API.

📘

To generate an Access Token, use any API Key/Secret pair from ID DataWeb Admin > Workflows.

Place them in Postman under Get Token > Authorization, as Username and Password.

Your response body will contain the property: access_token. This token ensures that your next request is authenticated.

Grab the Session ID you created with your Test Application, and add it to the body of the next request, Get Score, under apSessionId.

📘

Use the Bearer token obtained from the previous step to authenticate your request.

Click SEND, and within milliseconds, you'll receive the results from your Session.

Scroll further, and you'll find the property, policyDecision.

This value expresses a decision (should the transaction proceed, or halt) made from assessing the information gathered from running your Test Application.

If your Device or User Activity was found to be of high-risk (fraud), this output would inform you of any fraudulent activity found, and the transaction (session) would be prevented from proceeding further.

Understanding the results

The results of this API call provide the full risk score of your device.

For a high-level overview of all the results received

For a detailed-look at any one of your result's properties

For more information on policyDecision, and how it relates to your application

Next Steps

See Trust Device to learn how to trust your user post-device profiling.

Updated 5 months ago

What’s Next

Next - let's challenge the user with MFA.