Navigation

Account takeover protection

While Rupt offers account sharing monitoring and protection, the underlying technology is also useful for account takeover protection. For example, Rupt can be used to identify devices not typically seen with a specific account. If the device looks suspicious, sites and apps can block the login attempt or trigger a multi-factor authentication challenge.

This feature operates under the Zero Trust security model. This is why none of the information about the devices or accounts is seen by the client. The client only gets a token that can be used to complete the identification on the server side.

How to use Rupt for account takeover protection

  1. On the authentication page, call the identify function:
    const res = await Rupt.identify({
      client_id: "YOUR_API_CLIENT_ID",
    });
    console.log(res.identification);

    Rupt returns a response that looks like this:
    {
      "identification": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }

    This is the identification token for the device. You will send this to your server. The server will then check if the device has been seen before on this account in the next step.
  2. On the server, complete the identification by calling the complete endpoint. This will return the device ID and whether the device has been seen before on this account.
    "access": "651e72f5cc64cb48d6f860d7",
    "device": "651e72eccc64cb48d6f860c0",
    "new_device": false,
    "metadata_fields": {
      "key": ["value1", "value2", "..."]
    }
  3. If the new_device field is true, then the device has never been seen before on this account. You can use this to trigger a multi-factor authentication challenge or block the login attempt.

    The field new_device will only be true the first time a device is seen on an account. If the device is seen again, the field will be false. Be sure to trigger a multi-factor authentication challenge or block the login attempt the first time a device is seen.

  4. Alternatively, the device id can be stored with the MFA/2FA status in the product's own database or one can use the metadata_fields field to check if the device has been verified via 2FA. For example, if one could use a field called 2fa_verified and if it's not present, then the device has not been verified via 2FA. If the field is present, then the device has been verified via 2FA. It's important to update the metadata_fields field when a device is verified via 2FA. This can be done by calling the /device/:device_id/metadata endpoint.