Device & Network Risk
Checker Category: Risk — Device & Network
Used In Steps: Session Risk (all workflows), SMS Link (as add-on)
Used In Workflows: All workflows — runs at session start
Supported Countries: Global
Overview
LexisNexis ThreatMetrix provides passive device and session risk signals for every verification session. A JavaScript profiling tag loads on page and silently collects device fingerprint, IP address, browser and OS characteristics, and network signals — no user interaction required.
Four checker variants are available, differing in signal depth and location precision. The variant configured for your deployment is determined at setup time.
End User Requirements
None — passive JavaScript tag. User needs a web browser or mobile device.
Role in Layered Verification
Foundational risk layer. Catches device spoofing, bots, VPN/proxy, impossible travel, and velocity abuse — signals that PII matching cannot detect. Runs silently before any identity factor is collected. High-risk outcomes (TOR, OFAC, flagged IPs, velocity violations) deny the session immediately.
Overview
Full ThreatMetrix Advanced assessment. Comprehensive device fingerprinting, IP reputation, proxy/TOR/VPN detection, behavioral signals, velocity checks, and persona trust scoring. The standard variant used in the Session Risk step.
Acquired Attributes
| Attribute Name | Attribute Code | Fields | Description |
|---|---|---|---|
| Local Whitelist Detected Reason Codes | LocalWhitelistDetectedReasonCodes | Exact ID Whitelisted, Smart ID Whitelisted, Input IP Whitelisted, Input IP Org Whitelisted, True IP Whitelisted, True IP Org Whitelisted | Whitelist match reason codes. |
| Local Blacklist Detected Reason Codes | LocalBlacklistDetectedReasonCodes | Exact ID Blacklisted, Smart ID Blacklisted, Strong ID Blacklisted, Input IP Blacklisted, True IP Blacklisted, True IP Geo Blacklisted, True IP Org Blacklisted, Input IP Geo Blacklisted, Input IP Org Blacklisted, Email Domain Blacklisted | Blacklist match reason codes. |
| Local Watchlist Detected Reason Codes | LocalWatchlistDetectedReasonCodes | True IP Watchlisted, Proxy IP Watchlisted, DNS IP Watchlisted, Input IP Watchlisted | Watchlist match reason codes. |
| Browser Anomaly Checks Reason Codes | BrowserAnomalyChecksReasonCodes | SessionID Dup 5x, Session Cloaking, Browser Lang Anomaly, Screen Res Anomaly, Screen Color Depth Low, Browser Anomaly, and others | Browser anomaly signal reason codes. |
| Entity Reputation Checks Reason Codes | EntityReputationChecksReasonCodes | True IP Neg Reputation, Input IP Neg Reputation, Smart ID Neg Reputation, Exact ID Neg Reputation | Entity reputation reason codes. |
| Email Behavior Checks Reason Codes | EmailBehaviorChecksReasonCodes | Email Age >3 Months, New Email <1HR, New Email <1DY, Potential Machine Generated Email, Risky Email Domain, and others | Email behavioral signal reason codes. |
| Trust Tags Behavior Checks Reason Codes | TrustTagsBehaviorChecksReasonCodes | TT Check ExactID Login Passed 3x/Month, Device/IP Tagged Risky 2x/7Days, Device/IP Tagged Risky 5x/90Days, Device/IP Tagged Potential Bot 3x | Trust tag behavior reason codes. |
| Session Cloaking Checks Reason Codes | SessionCloakingChecksReasonCodes | Images Not Loaded, TrueIP WebRTC ExtIP Mismatch, TrueIP InputIP Mismatch, Remote Desktop, Cookies Disabled, Private Browsing, and others | Session cloaking signal reason codes. |
| Proxy/Tor/VPN Checks Reason Codes | ProxyTorVPNChecksReasonCodes | TOR Detected, VPN Detected, Potential VM, Hidden Proxy | Proxy, TOR, and VPN detection reason codes. |
| Proxy Type Match Checks Reason Codes | ProxyTypeMatchChecksReasonCodes | Anonymous Proxy, Open Proxy, Transparent Proxy | Proxy type classification reason codes. |
| Attribute Anomaly Checks Reason Codes | AttributeAnomalyChecksReasonCodes | StrongID w/ At Least 3 Emails, 5 Emails per SmartID/Month, New Email for User, New TrueIP Geo for User, Linked to Confirmed Fraud, and others | Attribute anomaly reason codes. |
| Proxy Geo/True Geo Mismatch Reason Codes | ProxyGeoTrueGeoMismatchReasonCodes | Device Proxy Geo Mismatch, Proxy Geo/True Geo Mismatch, True IP Proxy Geo Mismatch, and others | Geolocation mismatch reason codes. |
| Proximity Checks Reason Codes | ProximityChecksReasonCodes | Time Zone/True Geo Mismatch, Geo Language Mismatch, GPS WPS Mismatch, DNS Resolver 1000mi TrueIP, and others | Proximity consistency reason codes. |
| Distance Traveled Checks Reason Codes | DistanceTraveledChecksReasonCodes | ExactID True IP 500mi/hr, ExactID Input IP 500mi/hr, SmartID True IP 500mi/hr, Email True IP 500mi/hr, and others | Impossible travel detection reason codes. |
| Trusted Persona 1/2/3 Month Checks Reason Codes | TrustedPersona1MthChecksReasonCodes, TrustedPersona2MthChecksReasonCodes, TrustedPersona3MthChecksReasonCodes | 1/2/3 Month Trusted Exact/Smart/IP Persona | Trusted persona signal reason codes. |
| Persona Anomalies Reason Codes | PersonaAnomalies3MthReasonCodes, PersonaVariationsChecksReasonCodes | CC 3/5/10 Persona Variations/3 Months, New Email Since Last Login, 3 Local Persona Variations/DY, and others | Persona variation and anomaly reason codes. |
| Good Local Persona Checks Reason Codes | FiveDimGoodLclPersonaChecksReasonCodes, FourDimGoodLclPersonaChecksReasonCodes, ThreeDimGoodLclPersonaChecksReasonCodes | 3/4/5Dim Good Local Persona variants | Positive persona match reason codes. |
| Entity Velocity Checks Reason Codes | EntityVelocityChecksReasonCodes | Input IP 75x/HR, ExactID 10x/HR, 4 ExactID per Email/WK, and others | Velocity check reason codes. |
| ATO Checks Reason Codes | ATOChecksReasonCodes | Possible Bot Initiated ATO | Account takeover detection reason codes. |
| Malware / Bot / Jailbreak Reason Codes | MalwareChecksReasonCodes, BotDetectedReasonCodes, JailbreakOrRootDetectedReasonCodes, AndroidRootCloakDetectedReasonCodes | Malware Detection, Bot, Jailbreak or Root Detected, Android Root Cloaking | Malware, bot, and device integrity reason codes. |
| Global Blacklist/Whitelist Reason Codes | EntityDetectedInGlobalBlocklistReasonCodes, EntityDetectedInGlobalWhitelistReasonCodes | Device in Global List, SmartID Global Blacklist, Proxy IP in Global Blacklist/Whitelist, True IP in Global Blacklist/Whitelist | Global list match reason codes. |
| Aggregator Detected Reason Codes | AggregatorDetectedReasonCodes | Aggregator Detection | Aggregator service detection reason codes. |
| Device and Network Risk Score | TMXScore | — | Composite device and network risk score. |
| True IP | TrueIP | — | Device's true IP address. |
| True IP Geo Country Code | TrueIPGeoCountry | True IP Geo Country | Country code from true IP geolocation. |
| True IP Geo Postal Code | TrueIPPostalCode | True IP Postal Code | Postal code from true IP geolocation. |
| Fuzzy Device ID | FuzzyDeviceID | — | Fuzzy device identifier. |
| Fuzzy Device ID Confidence | FuzzyDeviceIDConfidence | — | Confidence score for fuzzy device ID. |
| Digital ID | DigitalID | — | Digital identity identifier. |
| Digital ID Confidence | DigitalIDConfidence | — | Confidence score for digital ID. |
| NEAT Persona Age (Months) | NEATPersonaAgeMonths | NEAT Persona Age | Age of the NEAT persona in months. |
| Exact ID & IP Persona Age (Months) | ExactIDIPPersonaAgeMonths | Exact ID + IP Persona Age | Age of the Exact ID + IP persona in months. |
| SmartID & Browserstring Persona Age (Months) | SmartIDBrowserstringPersonaAgeMonths | Smart ID Browser String Persona Age | Age of the SmartID + browser string persona in months. |
| Device Type | Platform | — | Device platform type. |
| True IP Latitude / Longitude | TrueIPLatitude, TrueIPLongitude | — | Latitude and longitude from true IP. |
| True IP City / State / Country | TrueIPCity, TrueIPStateOrRegion | — | City and state from true IP geolocation. |
| True IP Connection / Line Speed / Routing / Hosting | TrueIPConnectionType, TrueIPLineSpeed, TrueIPRoutingType, TrueIPHostingFacility | — | Network characteristics of the true IP. |
| Browser Language | BrowserLanguage | — | Browser language setting. |
| Time Zone Code / Name | TimeZoneCode, TimeZoneName | — | Device time zone. |
| Proxy Score | ProxyScore | — | Proxy likelihood score. |
| WebRTC External IP | WebRTCExternalIP | — | External IP exposed via WebRTC. |
| Session Verdict | SessionVerdict | — | ThreatMetrix session verdict. |
| Session Processing Verdict | SessionProcessingVerdict | — | Processing-level verdict. |
| Session Risk Rating Verdict | SessionRiskRatingVerdict | — | Risk rating verdict for the session. |
Assertions
| Assertion Name | Assertion Key | Description |
|---|---|---|
| Multi-Attribute Local Watchlist Check | Watchlist.localCheckDetected | Indicates whether any entity (IP, device, email, or identity) matches an entry on the local watchlist. Passes if no match is found; fails if a match is detected. |
| Multi-Attribute Local Blacklist Check | blacklist.localCheckDetected | Indicates whether any entity (IP, device, email, or identity) matches an entry on the local blacklist. Passes if no match is found; fails if a match is detected. |
| 3-Attribute Good Local Persona Check | detect.3DIMGoodLCLPersonaCheck | Assesses whether the session matches a known good local persona across 3 identity attributes. Passes if a match is found; fails if no good local persona match is established. |
| 4-Attribute Good Local Persona Check | detect.4DIMGoodLCLPersonaCheck | Assesses whether the session matches a known good local persona across 4 identity attributes. Passes if a match is found; fails if no good local persona match is established. |
| 5-Attribute Good Local Persona Check | detect.5DIMGoodLCLPersonaCheck | Assesses whether the session matches a known good local persona across 5 identity attributes. Passes if a match is found; fails if no good local persona match is established. |
| Account Takeover Check | detect.ATOCheck | Assesses the session for signals indicative of an account takeover (ATO) attempt. Passes if no ATO signals are detected; fails if suspicious signals are present. |
| Device Root Cloaking Check | detect.androidRootCloak | Indicates whether the device is using root-cloaking techniques to hide root access. Passes if no cloaking is detected; fails if cloaking is identified. |
| Session ID Replay Check | detect.apSessionIDNotReplay | Confirms that the session ID has not been replayed from a prior session. Passes if the session ID is unique; fails if a replay is detected. |
| Identity Suspicious Behavior Check | detect.attributeAnomaly | Assesses identity attributes for suspicious patterns such as unusual velocity or cross-entity associations. Passes if no suspicious patterns are detected; fails if suspicious signals are present. |
| Session Bot Check | detect.bot | Indicates whether the session exhibits automated bot behavior. Passes if no bot behavior is detected; fails if bot activity is identified. |
| Browser Anomaly Check | detect.browserAnomalyCheck | Assesses the session for browser-related anomalies that may indicate automation or fraud. Passes if no anomalies are detected; fails if suspicious signals are present. |
| Email Suspicious Behavior Check | detect.emailBehaviorCheck | Assesses the provided email address for suspicious behavioral patterns such as recent creation, machine generation, or risky domain usage. Passes if no suspicious patterns are detected; fails if risky signals are present. |
| Multi-Attribute Global Blacklist Check | detect.entityINGlobalBlocklist | Indicates whether any entity (device, IP, or identity) matches an entry on the global blacklist. Passes if no match is found; fails if a match is detected. |
| Identity and IP Address Global Whitelist Check | detect.entityINGlobalWhitelist | Indicates whether any identity or IP address matches an entry on the global whitelist. Passes if a match is found; fails if no whitelist entry is matched. |
| Device and IP Address Reputation Check | detect.entityReputationCheck | Assesses the reputation of the device and IP address based on historical behavior across the network. Passes if reputation is within acceptable thresholds; fails if reputation falls below acceptable thresholds. |
| Jailbreak Check | detect.jailbreakORRoot | Indicates whether the mobile device has been jailbroken (iOS) or rooted (Android). Passes if neither condition is detected; fails if either is identified. |
| Persona Change Velocity Check (3 Months) | detect.personaAnomalies3MTH | Assesses persona-level changes over a rolling 3-month window for signs of excessive or abnormal variation. Passes if changes are within expected thresholds; fails if anomalous patterns are detected. |
| Persona Suspicious Behavior Check | detect.personaVariationsCheck | Assesses persona attributes for unusual variations that deviate from established behavioral norms. Passes if no suspicious variations are detected; fails if anomalous patterns are present. |
| Geolocation Proximity Consistency Check | detect.proximityCheck | Assesses geographic consistency by evaluating whether access locations align with expected proximity patterns. Passes if locations are consistent; fails if significant inconsistencies are detected. |
| Proxy Geolocation Matches Device Geolocation | detect.proxyGEO/TRUEGEOMismatch | Compares the proxy server's geolocation to the device's geolocation. Passes if they match; fails if a geographic mismatch is detected. |
| Proxy, Tor, and VPN Check | detect.proxyTorVPN | Indicates whether the device is connecting through a proxy, Tor network, or VPN. Passes if none are detected; fails if any are identified. |
| Proxy Type Consistency Check | detect.proxyTypeMatch | Assesses whether the observed proxy characteristics are consistent with the expected proxy type. Passes if characteristics are consistent; fails if an inconsistency is detected. |
| Session Cloaking Check | detect.sessionCloaking | Assesses the session for cloaking techniques such as disabled cookies, remote desktop usage, device spoofing, or private browsing. Passes if no cloaking is detected; fails if cloaking signals are present. |
| Device and User Suspicious Behavior Check | detect.trustTagBehavior | Assesses behavioral signals for the device and user, including login frequency and risky tagging history. Passes if signals are within acceptable patterns; fails if risky signals are detected. |
| Device Impossible Travel Check | test.distanceTraveledCheck | Assesses whether the device's detected location has changed at an implausibly rapid rate within a session. Passes if location changes are within expected limits; fails if an impossible or suspicious location shift is detected. |
| Multi-Attribute Suspicious Activity Check | test.entityVelocityCheck | Assesses multiple entity types (IP, device, identity) for suspicious activity velocity such as excessive requests within a time window. Passes if velocity is within acceptable limits; fails if thresholds are exceeded. |
| Impossible Travel Check (>= 200 mi/hr) | test.impossibletravel_200mi1hr | Assesses whether the device's True IP geolocation has exceeded 200 miles of travel within 1 hour, indicating impossible travel. Passes if travel is within this limit; fails if it is exceeded. |
| Good Local Persona Check (1 Month) | test.trustedPersona1MTH | Assesses whether the persona has established a trusted pattern over a 1-month window. Passes if a trusted pattern is confirmed; fails if one is not. |
| Good Local Persona Check (2 Months) | test.trustedPersona2MTH | Assesses whether the persona has established a trusted pattern over a 2-month window. Passes if a trusted pattern is confirmed; fails if one is not. |
| Good Local Persona Check (3 Months) | test.trustedPersona3MTH | Assesses whether the persona has established a trusted pattern over a 3-month window. Passes if a trusted pattern is confirmed; fails if one is not. |
| Local Whitelist Check | whitelist.localCheckDetected | Indicates whether any entity (IP, device, or identity) matches an entry on the local whitelist. Passes if a match is found; fails if no whitelist entry is matched. |
Notes and Limitations
Requires JavaScript profiling tag on verification page — profiling completes in 3–5 seconds.
Recommend disabling submit button until profiling completes.
This is the standard variant — ThreatMetrix Advanced. The original ThreatMetrix integration is deprecated; reference Advanced assertion keys.
Testing & Expected Results
| Scenario | Input | Expected Result |
|---|---|---|
| Standard session — low risk | Standard browser, clean network | Session proceeds — low risk score |
| High risk — TOR | TOR browser | High risk signal — session denied |
| High risk — flagged IP | Known flagged IP | High risk signal — session denied |
| Trusted device | Previously verified device | test.trustedDevice passes |
Related Resources
→ Session Risk Step | → Identity Verification | → Continuous Re-Authentication | → NIST IAL2
Updated about 19 hours ago