Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager Release 11g (11.1.1) E14568-06 |
|
Previous |
Next |
This chapter describes the flows for the main scenarios in authentication and the policies and rules that are shipped with the product as part of the OAAM base snapshot. This chapter also includes autolearning policies that are shipped out of the box.
Policies are also included as separate policy files to import but they require that you import questions, entities, and patterns, and set up autolearning related properties.
Figure 11-1 shows the authentication flow of OAAM server when a user logs in to an application that is protected by Oracle Adaptive Access Manager.
The Forgot Password flow allows the users to reset their password after successfully answering all challenge questions.
Challenge Reset enables users to reset their challenge registration.
The following table lists the OAAM checkpoints and their responsibilities.
Table 11-1 OAAM Checkpoints and Responsibilities
CheckPoint Name | Responsibilities |
---|---|
Pre-Authentication |
Determine if the request has to be BLOCKED |
Device Identification |
Determine how to identify the device |
AuthentiPad |
Determine which authentication pad to use |
Post Authentication |
Determine if the user has to be ALLOWED or BLOCKED |
Registration |
Determine which pieces of user information is pending registration |
Challenge |
Determine which mechanism to use to challenge the user |
CSR KBA Challenge |
Applicable when customer calls in for service. Reset settings is performed through CSR KBA Challenge. |
Forgot Password |
Activity to reset password performed based on challenge |
Preferences |
Sets the user information (Image, phrase, OTP settings, and so on) |
OAAM comes standard with out-of-the-box policies pre-built to detect suspicious activity.
Pre-authentication policies are summarized in this section.
This policy stops fraudulent login attempts before the password is entered.
OAAM Pre-Authentication: Details of Rules
The table below shows the rule conditions and parameters in the OAAM Pre-Authentication Policy.
Table 11-3 OAAM Pre-Authentication Policy Rules Details
Rule | Rule Condition and Parameters | Results |
---|---|---|
Blacklisted Countries |
Location: In Country group Is In List = TRUE Country in country Group=OAAM Restricted Countries |
Action = OAAM Block Alert = OAAM Restricted Country Score = 1000 Weight = 100 |
Blacklisted devices |
Device: Device in group Is in group = TRUE Device in group = OAAM Restricted Devices |
Action = OAAM Block Alert = OAAM Restricted Device Score = 1000 Weight = 100 |
WEBZIP used |
Device: Browser header substring Substring to check = WEBZIP |
Action = OAAM Block Alert = OAAM Restricted Software Score =1000 Weight = 100 |
Blacklisted IPs |
Location: IP in group Is in List = TRUE IP List = OAAM Restricted IPs |
Action = OAAM Block Alert = OAAM Restricted IP Score = 1000 Weight = 100 |
Blacklisted ISPs |
Location: ISP in group Is in List = TRUE ISP List = OAAM Restricted ISPs |
Action = OAAM Block Alert = OAAM Restricted ISP Score = 1000 Weight = 100 |
Blacklisted users |
User: In Group Is in group = TRUE User Group = OAAM Restricted Users |
Action = OAAM Block Alert = OAAM Restricted User Score = 1000 Weight = 100 |
The Authentication Pad policy is summarized in this section.
This policy determines the OAAM Authentication Pad to use.
OAAM AuthenticationPad: Details of Rules
The table below shows the rule conditions and parameters in the OAAM AuthenticationPad Policy.
Table 11-5 OAAM Authentication Pad Policy Rules Details
Rule | Rule Condition and Parameters | Results |
---|---|---|
Challenge SMS |
Session: Check value in comma separated values Parameter Key = AvailableChallengeTypes Value to Check = ChallengeSMS Return if in list = TRUE |
Action = OAAM Text Pad Alert = NONE Score = 0 |
Registered Image and Caption |
User: Authentication Image Assigned Is Assigned = TRUE |
Action = OAAM Personalized Pad Alert = NONE Score = 0 |
Key Pad User |
User: Authentication Mode Authentication Mode is = Full Keypad |
Action = OAAM KeyPad Alert = NONE Score = 0 |
Challenge Email |
Session: Check value in comma separated values Parameter Key = AvailableChallengeTypes Value to Check = ChallengeEmail Return if in list = TRUE |
Action = OAAM Text Pad Alert = NONE Score = 0 |
Register Challenge Question |
Session: Check value in comma separated values Parameter Key = AvailableChallengeTypes Value to Check = RegisterChallengeQuestion Return if in list = TRUE |
Action = OAAM Question Pad Alert = NONE Score = 0 |
Check if mobile browser is used |
DEVICE: Check if device is using Mobile Browser Mobile Browsers Group = OAAM Mobile Browsers Group Default Return Value = FALSE |
Action = NONE Alert =OAAM Mobile Users Score = 0 |
Challenge Question |
Session: Check value in comma separated values Parameter Key = AvailableChallengeTypes Value to Check = ChallengeQuestion Return if in list = TRUE |
Action = OAAM Question Pad Alert = NONE Score = 0 |
OAAM AuthenticationPad: Trigger Combinations
Table 11-6 OAAM AuthenticationPad Policy Trigger Combinations
Description | Combination Detail | Result |
---|---|---|
Empty in the snapshot (Detect Mobile Browser) |
Check if Mobile Browser is Used = TRUE Challenge SMS = Any Registered Image and Caption =Any Key Pad User = Any Challenge Email = Any Challenge Question = Any Register Challenge Question = Any |
Action = OAAM HTML Pad Alert = NONE Score = 0 |
Empty in the snapshot (Unregistered Users) |
Check if Mobile Browser is Used = Any Register Challenge Question = Any Challenge SMS = FALSE Registered Image and Caption = FALSE Key Pad User = FALSE Challenge Email = FALSE Challenge Question = FALSE |
Action = OAAM Text Pad Alert = NONE Score = 0 |
Empty in the snapshot (Registered Users) |
Register Challenge Question = Any Check if Mobile Browser is Used = Any Challenge SMS = FALSE Registered Image and Caption = TRUE Key Pad User = FALSE Challenge Email = FALSE Challenge Question = FALSE |
Action = OAAM Text Pad Personalized Alert = NONE Score = 0 |
This section summarizes the post-authentication policies.
This policy evaluates the level of risk after authentication is successful. The possible actions are Allow, Block, or Challenge.
OAAM Post-Authentication Security: Details of Rules
The table below shows the rule conditions and parameters in the OAAM Post-Authentication Security Policy.
Table 11-8 OAAM Post Authentication Security Policy Rules Details
Rule | Rule Condition and Parameter Values | Results |
---|---|---|
Active Anonymizer |
Location: IP in Group Is in List = TRUE IP in group = anonymizer_active |
Action = OAAM Block Alert = OAAM Active Anonymizer IP Score = 1000 |
Suspect Anonymizer |
Location: IP in Group Is in List = TRUE IP in group = anonymizer_suspect |
Action = OAAM Challenge Alert = OAAM Suspected Anonymizer IP Score = 700 |
Unknown Anonymizer |
Location: IP in Group Is in List = TRUE IP in group = anonymizer_active |
Action = OAAM Challenge Alert = OAAM Unknown Anonymizer IP Score = 600 |
Private Anonymizer |
Location: IP in Group Is in List = TRUE IP in group = anonymizer_private |
Action = OAAM Challenge Alert = OAAM Private Anonymizer IP Score = 700 |
Risky Connection Type |
Location: IP Connection Type in Group Is in List = TRUE Connection type in group = OAAM High Risk Connection Types |
Action = OAAM Challenge Alert = OAAM Risky Connection type Score = 700 |
User Blocked Recently |
User: Action Timed Check Action = BLOCK In seconds = 28800 More than = 2 |
Action = OAAM Challenge Alert = User Blocked Recently Score = 700 |
Maximum Users per Device |
Device: User Count Seconds Elapsed = 2592000 Max number of users allowed = 5 |
Action = OAAM Challenge Alert = OAAM Device Multiple Users Score = 500 |
Dormant IP |
Location: IP Connection type in group Is in List = FALSE Connection type group = OAAM Mobile Connections Location: IP Excessive Use Number of Users = 4 Within (hours) = 24 And not used in days = 30 |
Action = OAAM Challenge Alert = OAAM Dormant IP Score = 500 |
Surge of Users from IP |
Location: IP Connection type in group Is in List = FALSE Connection type group = OAAM Mobile Connections Location: IP is AOL Is AOL = False Location: IP Maximum Users Seconds Elapsed = 300 Max number of users = 3 |
Action = OAAM Challenge Alert = OAAM IP Multiple Users Score = 600 |
Risky countries |
Location: In Country Group Is in List = TRUE Country in country group = OAAM Monitoring Countries |
Action = OAAM Challenge Alert = OAAM Monitored Country Score = 500 |
Dormant Device |
Device: Excessive Use Number of Users = 4 Within (hours) = 24 And not used in (days) = 30 |
Action = OAAM Challenge Alert = OAAM Dormant Device Score = 500 |
Device with Many Failures |
Device: Timed not status Authentication status is not = SUCCESS Within duration (seconds) = 28800 For more than 4 (times) |
Action = OAAM Challenge Alert = OAAM Many Failures from Device Score =600 |
Maximum Devices per User |
User: Check Devices Used Maximum number of devices = 2 Within duration (seconds) = 28800 |
Action = OAAM Challenge Alert = OAAM Max Devices for User Score =300 |
Risky Device |
Device: In List Is in group= TRUE Device in group = OAAM Risky Devices |
Action = OAAM Challenge Alert = OAAM Risky Device Score = 700 |
Device Maximum Velocity |
Device: Velocity from last login Last Login within (Seconds) = 72000 Miles per Hour is more than = 600 |
Action = OAAM Challenge Alert = OAAM Device Maximum Velocity Score =700 |
Risky IP |
Location: IP in group Is in List = TRUE IP List = OAAM Risky IPs |
Action = OAAM Challenge Alert = OAAM Risky IP Score = 700 |
This policy harnesses the predictive capabilities of Oracle Data Miner. The rules in this policy are only functional if Oracle Data Miner is configured.
OAAM Predictive Analysis Policy Summary
Table 11-9 OAAM Predictive Analysis Policy Summary
Summary | Details |
---|---|
Purpose |
Harnesses the predictive capabilities of Oracle Data Miner. These rules are only functional if Oracle Data Miner is configured. |
Scoring Engine |
Maximum |
Weight |
100 |
Group Linking |
Linked Users |
OAAM Predictive Analysis Policy: Details of Rules
The table below shows the rule conditions and parameters in the OAAM Predictive Analysis Policy.
Table 11-10 OAAM Predictive Analysis Policy Rules Details
Rule | Rule Condition and Parameters | Results |
---|---|---|
Predict if current session is fraudulent |
USER: Check Fraudulent User Request Classification Model = OAAM Fraud Request Model Required Classification = Fraud Minimum Value of Probability required = 0.70 Maximum Value of Probability required = 1.00 Default Value to return if error = FALSE |
Action = NONE Alert = OAAM Suspected Fraudulent request Score = 700 |
Predict if current session is anomalous |
USER: Check Anomalous User Request Anomaly Model = OAAM Anomalous Request Model Minimum Value of Probability required = 0.60 Maximum Value of Probability required = 1.00 Default Value to return if error = FALSE |
Action = NONE Alert = OAAM Anomalous Request Score = 600 |
This policy checks if pattern autolearning is enabled and if a user has past behavior recorded. Users with enough recorded behavior are evaluated against their own profile while users without enough recorded behavior are evaluated against the profiles of all other users.
OAAM Does User Have Profile Policy Summary
Table 11-11 Auto-learning (Pattern-Based) Policy: OAAM Does User Have Profile Summary
Summary | Details |
---|---|
Purpose |
Checks if pattern autolearning is enabled and if a user has past behavior recorded. Users with enough recorded behavior are evaluated against their own profile while users without enough recorded behavior are evaluated against the profiles of all other users. |
Scoring Engine |
Maximum |
Weight |
100 |
Group Linking |
All Users |
OAAM Does User Have Profile: Details of Rules
Table 11-12 Auto-learning (Pattern-Based) Policy Rules Details: OAAM Does User Have Profile
Rule | Rule Condition and Parameters | Results |
---|---|---|
Does user have a profile |
System - Check Boolean Property Property = vcrypt.tracker.autolearning.enabled Value = True Default Return Value = True System - Check Boolean Property Property = vcrypt.tracker.autolearning.use.auth.status.for.analysis Value = True Default Return Value = False User - Check Login Count Check only current user = True Authentication Status = Success In seconds = 0 With Login more than = 7 If Error return = False Consider current request or not = True |
Action = None Alert = None Score = 0 |
OAAM Does User Have Profile: Trigger Combination
Table 11-13 Auto-learning (Pattern-Based) Policy: OAAM Does User Have Profile Trigger Combination
Description | Combination Detail | Result |
---|---|---|
If a user has enough recorded behavior in his profile he is evaluated by this policy. |
Does User have profile = TRUE |
Policy = OAAM users vs. themselves Alert = NONE |
If a user does not have enough recorded behavior in his profile he is evaluated by this policy. |
Does User have profile = ANY |
Policy = OAAM users vs. all users Alert = NONE |
If a user has a sufficient amount of historical data captured, this policy is used to evaluate his current behavior against his own historical behavior. This policy uses pattern-based rules to evaluate risk.
OAAM Users vs. Themselves Policy Summary
Table 11-14 Auto-learning (Pattern-Based) Policy: OAAM Users vs. Themselves Summary
Summary | Details |
---|---|
Purpose |
Used to evaluate a user's current behavior against his own historical behavior. This policy uses pattern-based rules to evaluate risk. |
Scoring Engine |
Maximum |
Weight |
100 |
Group Linking |
Linked Users (It is a nested policy) |
OAAM Users vs. Themselves: Details of Rules
Table 11-15 Auto-learning (Pattern-Based) Policy Rules Details: OAAM Users vs. Themselves
Rule | Rule Condition and Parameters | Results |
---|---|---|
ISP |
ENTITY: Entity is member of pattern less than some percent times Pattern Hit Percent less than = 6 Pattern name for membership = User: ISP profiling pattern Is Membership Count Less than patternHitPercent = True Time period type for pattern membership = Months Time period for pattern membership = 1 Member type for pattern membership = User |
Action = OAAM Challenge Alert = OAAM User: ISP Score = 600 |
Connection type |
ENTITY: Entity is member of pattern less than some percent times Pattern Hit Percent less than = 6 Pattern name for membership = User: ASN profiling pattern Is Membership Count Less than patternHitPercent = True Time period type for pattern membership = Months Time period for pattern membership = 1 Member type for pattern membership = User |
Action = OAAM Challenge Alert = OAAM User: connection type Score = 600 |
Routing type |
ENTITY: Entity is member of pattern less than some percent times Pattern Hit Percent less than = 6 Pattern name for membership = User: Routing type profiling pattern Is Membership Count Less than patternHitPercent = True Time period type for pattern membership = Months Time period for pattern membership = 1 Member type for pattern membership = User |
Action = OAAM Challenge Alert = OAAM User: Routing type Score = 600 |
Device |
ENTITY: Entity is member of pattern less than some percent times Pattern Hit Percent less than = 10 Pattern name for membership = User: Device profiling pattern Is Membership Count Less than patternHitPercent = True Time period type for pattern membership = Months Time period for pattern membership = 1 Member type for pattern membership = User |
Action = OAAM Challenge Alert = OAAM User: Device Score = 700 |
Day of the week |
ENTITY: Entity is member of pattern bucket for first time in certain time period Pattern name for membership = User: Day of Week profiling pattern Is ConditionTrue = True Time period type for pattern membership = Months Time period for pattern membership = 3 Member type for pattern membership = User First time count = 1 |
Action = OAAM Challenge Alert = OAAM User: day of the week Score = 500 |
Country and State |
ENTITY: Entity is member of pattern less than some percent times Pattern Hit Percent less than = 10 Pattern name for membership = User: State profiling pattern Is Membership Count Less than patternHitPercent = True Time period type for pattern membership = Months Time period for pattern membership = 1 Member type for pattern membership = User |
Action = OAAM Challenge Alert = OAAM User: state Score = 600 |
Time of Day |
ENTITY: Entity is member of pattern less than some percent times Pattern Hit Percent less than = 3 Pattern name for membership = User: timerange profiling pattern Is Membership Count Less than patternHitPercent = True Time period type for pattern membership = Months Time period for pattern membership = 1 Member type for pattern membership = User |
Action = OAAM Challenge Alert = OAAM User: time of day Score = 500 |
ASN |
ENTITY: Entity is member of pattern less than some percent times Pattern Hit Percent less than = 6 Pattern name for membership = User: ASN profiling pattern Is Membership Count Less than patternHitPercent = True Time period type for pattern membership = Months Time period for pattern membership = 1 Member type for pattern membership = User |
Action = OAAM Challenge Alert = OAAM User: ASN Score = 600 |
Country |
ENTITY: Entity is member of pattern less than some percent times Pattern Hit Percent less than = 20 Pattern name for membership = User: Country profiling pattern Is Membership Count Less than patternHitPercent = True Time period type for pattern membership = Months Time period for pattern membership = 3 Member type for pattern membership = User |
Action = OAAM Challenge Alert = OAAM User: Country Score = 700 |
If a user does not have a sufficient amount of historical data captured this policy is used to evaluate his current behavior against the historical behavior of all other users. This policy uses pattern-based rules to evaluate risk.
OAAM Users vs. All Users Policy Summary
Table 11-16 Auto-learning (Pattern-Based) Policy: OAAM users vs. All Users Summary
Summary | Details |
---|---|
Purpose |
Evaluates the user's current behavior against the historical behavior of all other users. This policy uses pattern-based rules to evaluate risk. |
Scoring Engine |
Maximum |
Weight |
100 |
Group Linking |
Linked Users (It is a nested policy) |
OAAM Users vs. All Users: Details of Rules
Table 11-17 Auto-learning (Pattern-Based) Policy Rules Details: OAAM Users vs. All User
Rule | Rule Condition and Parameters | Results |
---|---|---|
Users: Day of the week |
ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture Pattern Bucket Hit Percent less than = 5 Pattern name for membership= User: Day of the week profiling pattern Is membership count less than pattern hit percent = true Time period type for pattern membership = Months Time period for pattern membership = 6 Member Type for pattern membership = User |
Action = OAAM Challenge Alert = Users: Day of the week Score = 300 |
Users: Country |
ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture Pattern Bucket Hit Percent less than = 3 Pattern name for membership= User: Country profiling pattern Is membership count less than pattern hit percent = true Time period type for pattern membership = Months Time period for pattern membership = 6 Member Type for pattern membership = User |
Action = OAAM Challenge Alert = Users: Country Score = 500 |
Users: Time of Day |
ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture Pattern Bucket Hit Percent less than = 5 Pattern name for membership= User: Time of day profiling pattern Is membership count less than pattern hit percent = true Time period type for pattern membership = Months Time period for pattern membership = 6 Member Type for pattern membership = User |
Action = OAAM Challenge Alert = Users: Time of day Score = 300 |
Users: Connection type |
ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture Pattern Bucket Hit Percent less than = 5 Pattern name for membership= User: Connection type profiling pattern Is membership count less than pattern hit percent = true Time period type for pattern membership = Months Time period for pattern membership = 6 Member Type for pattern membership = User |
Action = OAAM Challenge Alert = Users: Connection type Score = 500 |
Users: Locale |
ENTITY: Entity is member of pattern bucket less than some percent with all entities in picture Pattern Bucket Hit Percent less than = 3 Pattern name for membership= User: Time of day profiling pattern Is membership count less than pattern hit percent = true Time period type for pattern membership = Years Time period for pattern membership = 6 Member Type for pattern membership = User |
Action = OAAM Challenge Alert = Users: Locale Score = 500 |
Registration policies are summarized in this section.
This policy is used to determine the user information that needs to be registered.
OAAM Registration: Details of Rules
Table 11-19 OAAM Registration Policy Rules Details
Rule | Rule Condition and Parameters | Results |
---|---|---|
Check Registration |
User: Account Status User Account Status = ACTIVE Is = FALSE |
Action = OAAM Register Alert = NONE Score = 0 |
Register Questions |
User: Question Status User Question Status = Set Is = FALSE |
Action = OAAM Register Challenge Questions Alert = NONE Score = 0 |
Skipped registration more than 3 times |
User: Action Count Timed Checkpoint (Optional) = NONE Action = Register User Optional In seconds = 300 Count Action only once per session? = TRUE More Than = 3 |
Action = OAAM Registration Required Alert = NONE Score = 0 |
Register User Information |
User: Check Information Key to comma separated values to check = RequiredChallengeInfo If Information is set, return = FALSE |
Action = OAAM Register User Information Alert = NONE Score = 0 |
Register Image and Caption |
User: Authentication Image Assigned Is Assigned = FALSE |
Action = OAAM Register Preferences Alert = NONE Score = 0 |
Challenge policies are presented in this section.
This policy determines how the user has to be challenged. All the decision making in this policy is achieved using trigger combinations.
OAAM Challenge: Details of Rules
Table 11-21 OAAM Challenge Policy Rules Details
Rule | Rule Condition and Parameters | Results |
---|---|---|
Max failed SMS attempts |
User: Check OTP failures OTP Challenge Type = ChallengeSMS Failure More than or Equal To = 3 If above or equal = TRUE |
Action = NONE Alert = NONE Score = 0 |
Max failed Email attempts |
User: Check OTP failures OTP Challenge Type = ChallengeEmail Failure More than or Equal To = 3 If above or equal = TRUE |
Action = NONE Alert = NONE Score = 0 |
Max failed Question attempts |
User: Challenge Maximum Failures Number of Failures More than or equal to = 3 Current Question Count only? = False If above or equal, return = True |
Action = NONE Alert = NONE Score = 0 |
Questions Active |
User: Question Status User Question Status = Set Is = True |
Action = NONE Alert = NONE Score = 0 |
Challenge Email Available |
Session: Check value in comma separated values Parameter Key = AvailableChallengeTypes Value to Check = ChallengeEmail Return if in list = True |
Action = NONE Alert = NONE Score = 0 |
Challenge SMS Available |
Session: Check value in comma separated values Parameter Key = AvailableChallengeTypes Value to Check = ChallengeSMS Return if in list = True |
Action = NONE Alert = NONE Score = 0 |
Check for HIGH Risk Score |
Session: Check Risk Score Classification Risk score classification to check = High Risk Default value to return in case of errors = False |
Action = NONE Alert = NONE Score = 0 |
OAAM Challenge: Trigger Combinations
Table 11-22 OAAM Challenge Trigger Combinations
Description | Combination Detail | Result |
---|---|---|
Allow the user to register if the risk score is not High and if the user is not registered |
Check for High Risk Score = False Questions Active = False Challenge Email Available = False Challenge SMS Available = False Max failed Question Attempts = Any Max failed Email Attempts = Any Max failed SMS Attempts = Any |
Policy = NONE Action = OAAM Allow Alert = NONE Score = 0 |
Challenge the user with SMS if the risk score is High and he is registered for SMS and has not failed the maximum number of SMS challenges. |
Check for High Risk Score = TRUE Questions Active = Any Challenge Email Available = Any Challenge SMS Available = TRUE Max failed Question Attempts = Any Max failed Email Attempts =Any Max failed SMS Attempts = False |
Policy = NONE Action = OAAM Challenge SMS Alert = NONE Score = 0 |
Challenge the user with email if the risk score is High and he has registered for email and he did not fail the email challenge the maximum number of times yet. |
Check for High Risk Score = HIGH Questions Active = Any Challenge Email Available = TRUE Challenge SMS Available = Any Max failed Question Attempts = Any Max failed Email Attempts = FALSE Max failed SMS Attempts = Any |
Policy = NONE Action = OAAM Challenge Email Alert = NONE Score = 0 |
Challenge the user with questions if he has challenge questions active and has not failed the maximum number of challenges for questions |
Check for High Risk Score = Any Questions Active = TRUE Challenge Email Available = Any Challenge SMS Available = Any Max failed Question Attempts = TRUE Max failed Email Attempts = Any Max failed SMS Attempts = Any |
Policy = NONE Action = OAAM Challenge Question Alert = NONE Score = 0 |
Challenge the user with OTP via SMS if he has not failed Challenge SMS and he is registered for SMS. |
Check for High Risk Score = Any Questions Active = Any Challenge Email Available = Any Challenge SMS Available = TRUE Max failed Question Attempts = Any Max failed Email Attempts = Any Max failed SMS Attempts = FALSE |
Policy = NONE Action = OAAM Challenge SMS Alert = NONE Score = 0 |
Challenge the user with email if he is registered for email and he did not fail the email challenge the maximum number of times yet. |
Check for High Risk Score = Any Questions Active = Any Challenge Email Available = TRUE Challenge SMS Available = Any Max failed Question Attempts = Any Max failed Email Attempts = FALSE Max failed SMS Attempts = Any |
Policy = NONE Action = OAAM Challenge Email Alert = NONE Score = 0 |
Block the user if he has not registered for questions or OTP and the risk score is High. This block can be overridden using the "Temp Allow" functionality. |
Check for High Risk Score = TRUE Questions Active = FALSE Challenge Email Available = FALSE Challenge SMS Available = FALSE Max failed Question Attempts = Any Max failed Email Attempts = Any Max failed SMS Attempts = Any |
Policy = NONE Action = OAAM BLOCK Alert = NONE Score = 0 |
Challenge Block the user if he failed to answer all types of challenge mechanisms. Note: This block cannot be overridden through the "Temp Allow" functionality. |
All rules with result = ANY |
Policy = NONE Action = OAAM Challenge BLOCK Alert = NONE Score = 0 |
Customer care policies are presented in this section.
This policy determines if the user has active questions, more questions left for the challenge, and how many challenges have failed.
OAAM Customer Care Ask Question: Details of Rules
Table 11-24 OAAM Customer Care Ask Question Rule Details
Rule | Rule Condition and Parameters | Results |
---|---|---|
No Questions |
USER: Question Status Triggers when users do not have questions registered. Two possible scenarios are un-registered users and users with questions reset by customer care. Question status of the user User Question Status=Not Set Is=True |
Action = OAAM No User Questions Alert = NONE Score = 0 Weight=100 |
Maximum Answers Failed |
USER: Challenge Channel Failure Triggers when user failed maximum allowed answers with current question. Count is combination of customer care and online challenge. If a user has a failure counter value over a specified value from specific channel Challenge Channel=<select> Current Question Count only? = true Failures greater than or equal to = 3 |
Action = OAAM Next Question Alert = NONE Score = 0 Weight=100 |
Question Blocked |
User: Challenge Question Failure Checks how many questions have failures Failure more than or equal to=1 |
Action = OAAM Reset Question Alert = NONE Score = 0 Weight=100 |
Maximum Questions Failed |
User: Question Failure Triggers when user fails the maximum allowed questions. Failure more than or equal to=3 |
Action = NONE Alert = NONE Score = 0 Weight=100 |
The following sections provide security policy use case scenarios.
All users using a WebZIP browser must be blocked from attempting a login.
user1 uses WebZip and tries to log in to the application.
user1 is blocked.
The administrator logs in to OAAM Admin.
The administrator views the session for user1.
The administrator sees that Rule: "WEBZIP" used was triggered.
User "test user" is a registered user. He is traveling on business to a different country and does not have access to email or phone. The IP he logs in from is considered a risky IP and hence, he is challenged by SMS. Since he cannot access his OTP, he fails to answer the OTP challenge by SMS. He is now challenged via KBA and unfortunately, he forgot the answers to his challenge questions. He guesses and answers the questions incorrectly. He is now locked out of the system. He calls the CSR and proves his identity. The CSR unlocks the user so he can log in again.
OTP is set up for SMS and Email.
The auto-learning policy (OAAM does user have profile) is disabled.
The user is registered as testuser
.
His IP is in the Risky IP group.
testuser
tries to log in to the application.
testuser
is challenged via SMS.
testuser
answers incorrectly 3 times.
testuser
is challenged via KBA.
testuser
answers challenge question incorrectly 3 times.
testuser
is locked out.
CSR must create a case and then unlock challenge questions for the user.
testuser
is able to log in to the application successfully.
User "anonymizer" logs in using an IP which is considered an anonymizer in the Quova geolocation database. The user is blocked and a case is automatically created with the proper information. The investigator works on the case, adds a disposition, and closes the case.
Administrator
The administrator logs in to OAAM Admin.
He creates a new action instance using the action template "Create customer care case".
He selects the "post -authentication" checkpoint, the Block action, a score of "1000," and case type "2".
User
New user "anonymizer" tries to log in to the application.
The user is blocked.
A fraud case is automatically created.
Investigator
The investigator logs in to OAAM Admin as an Investigator.
He opens the case and adds notes.
He closes the case with a disposition.
User "test user2" is a registered user. He resides in the United States and hence, all his logins are typically from the United States. He is traveling on business to China and performs a few logins from there. Since OAAM identifies that this is not the normal behavior, it challenges the user.
Rules:
The rule only triggers when the device used appears to have traveled faster than 600 MPH in the last 20 hours. A trigger results in a challenge action and appropriate and informative alerts sufficient enough to determine why the challenge was generated.
The following rule only triggers a challenge action when both conditions are false: Has this user used this country more than 2 times ever?
AND
Has this user used this country more than 10% in the last month?
If a user is challenged post-authentication, and he has KBA active, and he does not have OTP active and the risk is above 600, then he should be asked a KBA question.