Challenges of the Risk Management component

Intelligent Adaptive Authentication with the Risk Management component can challenge the user in multiple aspects during login and adaptive authentication, event validation, or transaction activities.

Risk Management component challenges

When Intelligent Adaptive Authentication validates adaptive authentication and transaction requests, the response of this request to the Risk Management component includes the authentication or transaction validation challenge (specified in the riskResponseCode field). These challenges can then be used in the remaining processing flow. Risk management challenges provides a list of these challenges.

Risk management challenges
Challenge name Challenge value Definition
Challenge 2 Simple authentication, i.e. static password.
ChallengeSMS 3 Simple authentication with SMS delivery, e.g. virtual OTP.
ChallengeDevice 4 Challenge with authenticator, hardware or software OTP without a second factor.
ChallengeDevice2FA 5 Challenge with authenticator and two factors, hardware OTP with static PIN, software OTP with PIN, biometric etc.
ChallengePush 6 Simple authentication using Push NotificationClosed Message that is pushed from a server to a user and is displayed on an end-user device, e.g. a mobile device. Push notifications are received by a particular app. This must be registered on the corresponding server to receive notifications. Notifications can be sent at any time, the users do not have to be actively using the app at that time..
ChallengePush2FA 7 Two-factor authentication using Push Notification.
ChallengeEmail 8 Simple authentication with email delivery, e.g. virtual OTP.
ChallengeVoice 13 Simple Authentication with delivery via voice call, using a virtual OTP.
ChallengeFIDO 14 Authentication using a FIDO-based authenticator.
ChallengeNoPin 21 Authentication without PIN from trusted device (using orchestration command).
ChallengePin 22 Authentication with PIN from trusted device (using orchestration command).
ChallengeFingerprint 23 Authentication with fingerprint from trusted device (using orchestration command).
ChallengeFaceReco 24 Authentication with face recognition from trusted device (using orchestration command).

Matched Risk Management component rules

Intelligent Adaptive Authentication also provides information about which of the rules defined in the Risk Management component for monetary and non-monetary events matched. The adaptive authentication or transaction validation returns identifiers based on the API field in the output. You can check these identifiers in the event lookup to see all details associated with this event and verify which of the Risk Management component rules have matched. Names of matched rules from the Risk Management component provides a list of these identifiers.

To retrieve information about matched rules for an event

You can check events for matched rules during adaptive authentication and event validation with the following endpoints:

To retrieve information about matched rules for a transaction

You can check events for matched rules during adaptive transaction validation with the following endpoint:

Names of matched rules from the Risk Management component
Event identifier Risk Management component field OneSpan Trusted Identity platform API field Non-monetary event Transaction (monetary event) Definition
1 ACCOUNT_REF accountRef Reference of the banking account.
2 AMT_CH_BILLL amount   Transaction amount.
3 BENEFICIARY_BANK_COUNTRY_CODE beneficiaryBankCountry   ISO alpha country code of the beneficiary bank.
4 BENEFICIARY_BANK_NAME beneficiaryBank   Name of the beneficiary bank.
5 BENEFICIARY_IBAN beneficiaryIBAN   International bank account number of the beneficiary bank.
6 BENEFICIARY_NAME beneficiaryName   Name of the beneficiary.
7 CREDITOR_ACCOUNT_REF creditorRef   Reference of the creditor bank account.
8 CREDITOR_BANK_COUNTRY_CODE creditorBankCountry   ISO alpha country code of the creditor bank.
9 CREDITOR_BANK_NAME creditorBank   Name of the creditor bank.
10 CREDITOR_IBAN creditorIBAN   International bank account number of the creditor bank.
11 CREDITOR_NAME creditorName   Name of the creditor.
12 CURRENCY_BILL currency   Currency of the transaction.
13 CUSTOM_NUMBER_1 customNumber1 A customizable number to pass bank information to the Risk Management component.
14 CUSTOM_NUMBER_2 customNumber2 A customizable number to pass bank information to the Risk Management component.
15 CUSTOM_NUMBER_3 customNumber3 A customizable number to pass bank information to the Risk Management component.
16 CUSTOM_STRING_1 customString1 A customizable string to pass bank information to the Risk Management component.
17 CUSTOM_STRING_2 customString2 A customizable string to pass bank information to the Risk Management component.
18 CUSTOM_STRING_3 customString3 A customizable string to pass bank information to the Risk Management component.
19 CUSTOM_STRING_4 customString4 A customizable string to pass bank information to the Risk Management component.
20 CUSTOM_STRING_5 customString5 A customizable string to pass bank information to the Risk Management component.
21 CUSTOM_STRING_6 customString6 A customizable string to pass bank information to the Risk Management component.
22 DEBTOR_IBAN debtorIBAN   International bank account number of the debtor.
23 DEBTOR_NAME debtorName   Name of the debtor.
24 DEBTOR_REF debtorRef   Reference of the debtor bank account.
25 DEVICE_ID uniqueDeviceIdentifier Device ID from the Mobile Security Suite CDDC SDK.
26 DEVICE_MODEL deviceModel Model of the device from the Mobile Security Suite CDDC SDK.
27 DIGIPASS_AUTH_TYPE authentType Authentication level.
28 DIGIPASS_RETURN_CODE authentStatus Result of the user authentication.
29 EXECUTION_COMPLETED executionCompleted Status of the rule execution.
30 FINGERPRINT_HASH fingerprintHash Fingerprint hash of the browser.
31 FINGERPRINT_RAW fingerprintRaw

Fingerprint raw data (JSON) of the browser.
32 FRAUD_DATE fraudDate Date when the fraud disposition has been set.
33 FRAUD_DISPOSITION_KEY fraudDispositionKey

Fraud disposition key. Value range:

  • 1: Fraud

  • 4: Genuine

  • Null: unknown
34 GIS_COUNTRY_CODE deviceCountry Country of the device location, from the Mobile Security Suite CDDC SDK latitude and longitude.
35 GIS_LATITUDE deviceLatitude Latitude of the device location, from the Mobile Security Suite CDDC SDK.
36 GIS_LONGITUDE deviceLongitude Longitude of the device location, from the Mobile Security Suite CDDC SDK
37 IP clientIP IP address from which the event originated. Formatted in dot-decimal notation.
38 IP_COUNTRY_CODE clientIPCountry

ISO alpha country code from the client IP-based location data.
39 MATCHED_RULES matchedRules JSON object with a list of the names of matched rules from the Risk Management component.
40 NON_MON_EVENT_DATE eventDate   Date of the event.
41 NON_MON_EVENT_ID eventID   Identifier of the event.
42 NON_MON_EVENT_SUB_TYPE_KEY eventSubTypeKey   Number that represents the event sub-type.
43 NON_MON_EVENT_SUB_TYPE_KEY eventSubType   Name of the event sub-type.
44 NON_MON_EVENT_TYPE_KEY eventTypeKey   Number that represents the event type.
45 RELATIONSHIP_REF relationshipRef

Relationship reference. In the Risk Management component, a relationship represents one customer (irrespective of the number of applications or accounts held for that customer).
46 RESPONSE_CODE riskResponseCode The response code sent by the Risk Management component.
47 SESSION_ID sessionID The application session identifier, formatted as a hexadecimal string. This identifier is common for all transactions related to the same session.
48 TXN_DATE_TIME transactionDate   Date of the transaction.
49 TXN_ID transactionID   Transaction identifier.
50 TXN_SUB_TYPE_KEY transactionSubTypeKey   Number that represents the transaction sub-type.
51 TXN_SUB_TYPE_KEY transactionSubType   Name of the transaction sub-type.
52 TXN_TYPE_KEY transactionTypeKey   Number that represents the transaction type.
53 USER_REF userRef Corporate user reference.