Whether it’s prohibiting the online sale of alcohol to underage users, challenging users from a particular geographical region in response to unusual traffic patterns in that area, or creating allowlists for certain trusted IPs, writing and orchestrating simple rules should be a straightforward task. However, fraud innovation and the complexity of applications and systems underpinning identity management today can make orchestrating simple decisions an incredibly complicated process. That’s why we’re excited to announce the launch of our new Identity Decisioning service: a centralized decisioning service that lets you quickly create no-code rules that can be easily tested and safely deployed in real time by leveraging our platform’s security and risk intelligence capabilities.
What is identity decisioning?
Identity decisioning is a process that evaluates the risk associated with a given user against a predefined set of rules to determine how to interact with that user. To effectively evaluate these risk signals, a platform or service must have access to a variety of different data sources, such as PEP and AML watchlists, background checks and threat detection mechanisms such as behavioral biometrics, network analysis and global intelligence. These data sources — along with information collected directly from users, telemetry collected during user interactions and data extracted from documents provided during identity proofing — can all help to validate the authenticity of a user’s identity claims and the risk associated with their requests.
Once these risk signals have been collected, they must be evaluated against a predefined set of rules designed to not only reduce risk, but ensure the best possible user experience in doing so. And this balance will vary based on the needs of the business and its users, as decisioning rules must take into account factors including:
- Costs associated with user churn or account fraud
- Compliance regulations
- The business’s targets for growth
- The technical complexity of implementation
- The cost of implementing and maintaining rules
- Users’ ability to understand and comply with rules
To ensure the best possible balance of these considerations, businesses must have the ability to dynamically apply safeguards such as data validation, identity verification, multifactor authentication and step-ups.
How does Identity Decisioning work on the Transmit Security platform?
Our Identity Decisioning service provides a simple UI for users to write and orchestrate rules based on risk signals from three of our platform’s services:
- Detection and Response collects telemetry such as the IP address, country, browser, OS version, device and user identifier associated with the request and evaluates the risk therein using a range of detection methods and threat intelligence.
- Data Validation evaluates the reputation and authenticity of phone numbers, email addresses, physical addresses, SSNs, and full names directly provided by an application’s users by comparing them against multiple external databases.
- Identity Verification extracts data such as the user’s age and the document’s type, region, country and expiration date from government documents, which are evaluated for authenticity and compared to user selfies for liveness checking.
In the UI, users simply choose the rule type based on which service (Detection and Response, Data Validation, or Identity Verification) will be used to assess risk, and enter a handful of parameters:
- The attribute the rule pertains to (email, IP address, age, SSN, etc.)
- The boolean operator for the rule (greater / less than, in / not in, is / is not, etc.)
- The input value for the rule
- The rule decision (deny, challenge, allow, trust)
For example, a developer that wanted to prevent the online sale of alcohol to minors could easily create a rule to block them from making transactions on the site by simply setting parameters such as Identity Verification > age > less than > 21 > deny.
The rule can then be evaluated against any logical conditions, such as rule priority, which can be easily orchestrated by organizing rules according to priority level within the UI.
This simple UI provides users an easy way to create, edit, and manage rules that leverage internal intelligence — enabling better decisioning accuracy and fewer false positives. By creating logical, boolean rules that leverage risk signals from a wide range of external data sources, identity verification services, and our best-in-breed risk engine, businesses can quickly meet a broad range of use cases, such as:
- creating allowlists or blocklists
- age-limiting the sale of certain products
- blocking new accounts from users with disposable email addresses
- approving or denying loan applications based on credit scores
Rules can also be easily created, updated, deleted or retrieved using the Rules API. Similar to the UI, the API version enables users to quickly add, update or delete custom rules. In order to create a rule, developers only need to set the rule type, attribute, operator, input value and priority level, then choose whether to deploy the rule in preview or production. Developers can also use the API to fetch a specific rule by ID or a list of all rules that govern the decisioning process in Detection and Response, Data Validation and Identity Verification.
More information about Identity Decisioning and how to use decisioning rules can be found in the Decisioning Rules documentation.
The need for identity decisioning
Identity decisioning is a critical component of any online platform or service. It involves collecting a variety of risk signals, evaluating them against predefined rules, and making decisions about how to interact with a given user. This enables platforms and services to effectively protect against fraud and other malicious activity while providing a positive user experience.
With our Identity Decisioning service, businesses can easily achieve this goal, using the Transmit Security Platform to validate user identities and block known malicious users during registration, orchestrate risk-and-context based authentication, extend sessions for users that exhibit strong trust signals or dynamically invoke identity proofing, multi-factor authentication and step-ups for users that are flagged as suspicious. This service is now available in preview, and current customers can enable it by contacting their sales representative. If you are not a current customer and are interested in learning more, contact our sales team to schedule a demo.