Howdy!
I am working on consuming Auth0 Log Events into Snowflake and building out reporting for our analytics team.
One of the first requests is to create a table with 1 row per login attempt and summarize what happened. The table should show the 2nd authentication factor used and any error if the login was unsuccessful.
Using the log events, I need to define:
- A login attempt for a user on a device
- The authentication factors used
- Whether the login succeeded
- If login failed, what was the reason
The first question is whether there is any concrete way to tie events together? Something like a correlation or session id. As an example, if a user tries to login, fails several times, then enrolls in a 2nd auth factor, and successfully logs in, how do I tie all of those together on a given device?
There is a field called user_id that has our own internal CustomerID field so that lets me tie events across a user (assuming each event has the user_id). I also see a device_id field in the gd_* events which I was hoping would let me tie events across a device, but the s events don’t have the device_id field. I see a sessionID in s events, but not in the gd_* events. Is there any ID shared across all events during the login process? The concern there is: what if a user has multiple devices and tries logging in from the desktop site, then tries to login from the app on their phone? How do I group the events by the user and device including the login success event?
Next question is, what is the best way to define the authentication factors used in a login attempt? I found an example a login success event for a user had no prior mfa enrollment events:
{
"client_id": "[redacted]",
"client_name": "Customer Portal",
"connection_id": "",
"date": "2022-09-14T00:34:19.095Z",
"details": {
"completedAt": 1663115659094,
"elapsedTime": 938,
"initiatedAt": 1663115658156,
"prompts": [
{
"completedAt": 1663115658822,
"elapsedTime": 622,
"flow": "universal-mfa",
"initiatedAt": 1663115658200,
"name": "mfa"
}
],
"riskAssessment": {
"assessments": {
"ImpossibleTravel": {
"code": "initial_login",
"confidence": "high"
},
"NewDevice": {
"code": "initial_login",
"confidence": "high"
},
"UntrustedIP": {
"code": "not_found_on_deny_list",
"confidence": "high"
}
},
"confidence": "high",
"version": "1"
},
"session_id": "[redacted]"
},
"hostname": "[redacted]",
"ip": "[redacted]",
"log_id": "[redacted]",
"type": "s",
"user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Mobile/15E148 Safari/604.1",
"user_id": "[redacted]",
"user_name": "[redacted]"
}
I see under prompts, which I assume is telling me how they logged in, the name is “mfa” but I don’t see anything in this users event history indicating any sort of mfa enrollment. What does mfa mean in this event?
In another example, I found a user that enrolled in webauthn as their 2nd factor. I then found a login success event after their enrollment. This is the example of the prompts field of the login success event:
"prompts": [
{
"completedAt": 1664807561480,
"elapsedTime": 8615,
"flow": "universal-login",
"initiatedAt": 1664807552865,
"name": "login",
"passwordless_amr": "*****",
"performed_acr": [
"http://schemas.openid.net/pape/policies/2007/06/multi-factor"
],
"performed_amr": [
"mfa"
],
"timers": {
"rules": 22
},
"user_id": "auth0|[redacted]",
"user_name": "[redacted]"
}
],
I can’t tell the authentication factors from this. Do I need to look back at their enrollment success events? If so, how do I look by user and device?