Adaptive MFA Assessor codes

Problem statement

We want to implement Adaptive MFA with Rules. Instead of using the confidence value (low, medium, or high), we want to use the Assessors code. And we need the details about what each code stands for.

Solution

NewDevice:

  • match → device id and user agent match.

  • partial_match → either the device id or the user agent match, not both.

  • no_match → we have both things but neither of them matches our records.

  • initial_login → Initial login for this user.

  • unknown_device → we don’t have the device cookie nor a complete user agent.

  • no_device_history → no matches for this device at all in our records.

  • assessment_not_available → check the answer below.

ImpossibleTravel:

  • minimal_travel_from_last_login

  • travel_from_last_login

  • substantial_travel_from_last_login
    The 3 options from above don't signal impossible travel. These just provide contextual information about the user's location, and if there was minimal, regular, or substantial travel for this user, and the confidence score will depend on the patterns previously displayed by this user.

  • impossible_travel_from_last_login → User is logging in from a location that would signal impossible travel.

  • invalid_travel → An invalid result, like infinite distance or NaN.

  • mission_geoip → No GeoIP information available.

  • anonymous_proxy → An anonymizer is used to make activity on the Internet untraceable.

  • unknown_location → Could not identify geolocation information obtained.

  • initial_login → Initial login for this user.

  • location_history_not_found → 2 days have passed since the user last logged in and the location info was deleted.

  • assessment_not_available → check the answer below.

UntrustedIP:

  • not_found_on_deny_list → IP not found on any of Auth0’s denyLists.

  • found_on_deny_list → IP found on at least one of Auth0’s denyLists. Not necessarily risky. There are some scenarios where the IP has been found on a deny list but is getting a high score. This is because the list where the IP has been found is not malicious per se so we don’t give the IP a low score. Because of that we just inform it in case the customer would like to take action.

  • invalid_ip_address → IP forwarded in the headers is not a valid one.

  • assessment_not_available → check the answer below.

assessment_not_available: → In the unlikely case of an assessment back-end system failure, the assessment code will be assessment_not_available and the associated confidence will be low because Auth0 defaults to a secure behavior.