Overview of Session Risk Verification

Summary

Session Risk Verification is included within each of the five standardized, best practice workflows that ID DataWeb offers. For less sensitive use cases, Session Risk Verification can also serve as a standalone method for verifying against malicious behavior as opposed to verifying for identity. **Session Risk Verification enables us to verify the relationships between user-collected attributes, like browser-type, geolocation, device ID, IP address, and much more as opposed to user-declared attributes (full name, phone number, government document, etc.). A few uses of Session Risk Analysis are:

• In the context of keeping account openings and registration process secure, malicious users may attempt to undermine the process using tools of the trade. Those tools are also indicators such as the use of a TOR browser, proxy, aggregator, OFAC-listed IP address, or the use of a browser engaged in anomalous, malware-indicative, or generally unusual behavior (such as spending less than 0.2 seconds per page, as a bot would). Using environmental analysis, we can identify those indicators and prevent that user from entering the process before they even have a chance to attempt identity fraud. This mechanic can be extensively fine tuned using the policy engine to look at a combination of factors and step-up users requiring full verification or re-verification.

• In the context of keeping account opening and registration processes economical, malicious users may attempt to brute force their way through the process resulting in costly spam as these users consume identity verification resources and increase their odds of success through sheer volume. Using device and credential fingerprinting, we can count the number of times a device or credential (like an email) has been seen and prevent that user from entering the process after exceeding a certain count. This mechanic can be extensively fine tuned using the policy engine to allow flexibility for households with multiple users on the same device, emails of a certain age or risk level, etc.

• In the context of less sensitive use cases, verifying against malicious behavior as opposed to verifying for identity resolves for user experience and privacy concerns without sacrificing security. This is particularly important when it comes to serving privacy-related requests such as data deletion requests which have a low risk of fraud (as opposed to data access / and deletion requests) and a high risk of user frustration should they be prompted to provide more data while actively requesting to provide less. Those frustrations can become regulatory compliance issues if the process is under the purview of GDPR/CCPA/CPRA.

Session Risk Verification is a flexible and ubiquitous tool that can enhance or replace an identity verification workflow. It can also be an economical, first-line solution to prevent spammers from hitting more expensive verification services.

For information on how we apply similar methods to secure ongoing authentication, please see "AXN Manage".

Integration and Testing

Coming soon...