Account takeover protection
Rupt offers a comprehensive account takeover protection solution. Rupt understands if the account is being accessed from a new device or geo-location, or if the account is being used in an unusual way. If so, Rupt will redirect the user to a managed challenge page where they can verify their identity.
How to use Rupt for account takeover protection
Project settings
Go to your project settings and enable account takeover protection and the managed challenge page. This will redirect suspected users to a managed challenge page where they can verify their identity. If you don't want to use the managed challenge page, you can disable it and write your own challenge page using this guide.
Browser side
- Install the Rupt Browser SDK:
yarn add rupt
#OR
npm install rupt
- Include the Rupt Browser SDK on the authentication page:
import Rupt from "rupt";
Or include the Rupt Browser SDK from a CDN:
<script src="https://cdn.rupt.com/browser/latest/rupt.js"></script>
- Call the
evaluate
method from the browser SDK:
await Rupt.evaluate({
client_id: process.env.NEXT_PUBLIC_CLIENT_ID,
action: "login",
user: "USER_ID",
email: "EMAIL",
phone: "PHONE",
success_url: "https://example.com/success",
});
If the device should be challenged, the user will be redirected to the managed challenge page for the user to verify their identity via a two-factor authentication code. If the evaluation method does not redirect, you can continue with your authentication flow as normal.
- Once the user has verified their identity, they will be redirected to the
success_url
with the challenge id:
https://example.com/success?challenge=CHALLENGE_ID
You should use the CHALLENGE_ID
to verify the status of the challenge to ensure that the user has verified their identity. It is highly recommended to do this on the server side.
Server side
- Include the Rupt Node SDK:
yarn add @ruptjs/core
#OR
npm install @ruptjs/core
- Initialize the Rupt Node SDK with your project API secret:
import Rupt from "@ruptjs/core";
const rupt = new Rupt("API_SECRET");
3.1. Call the getChallenge
method to get the challenge status:
const challenge = await Rupt.getChallenge(CHALLENGE_ID);
curl -X GET https://api.rupt.com/v2/challenges/CHALLENGE_ID \
-H "Authorization: Bearer API_SECRET" \
-H "Content-Type: application/json"
For more information, see retrieve a challenge.
If the challenge status is completed
, you can continue with your authentication flow.