Skip to main content
Version: v5

Authentication integration

The entire flow is as follows:

  1. Your app gathers the Installation ID (provided via the Incognia SDK).
  2. Your app initiates an authentication request to Auth0 with custom parameters.
  3. The authentication request passes through the Rules pipeline.
  4. The Incognia Rule assesses the risk and adds the result to context.idToken
  5. Your app links the device to the account identifier on onAuthentication callback

Using Incognia risk assessment#

The Incognia Rule adds information to context.idToken. You can access it from other Rules or from the app itself.

Adaptive MFA with Rules#

An example use case may be to bypass MFA requirements for low-risk logins. This implementation provides an example of how to make it possible. First, the rule reads the risk assessment result and defines the logic to prompt MFA:

const assessment = _.get(  context.idToken,  '',  'unknown_risk')
if (!assessment) {  console.log(    'Incognia: no risk assessment is available. Skipping adaptive MFA logic'  )  return callback(null, user, context)}
// Example condition: skip MFA for low risk loginslet shouldPromptMfa
switch (assessment) {  case 'low_risk':    shouldPromptMfa = false    break  case 'unknown_risk':    shouldPromptMfa = true    break  case 'high_risk':    shouldPromptMfa = true    break}

Then, the Rule checks if the user is enrolled in MFA using user.multifactor; if the user is enrolled in MFA, then skip the MFA challenge:

// Only prompt for MFA if the user enabled itconst userEnrolledFactors = user.multifactor || []const canPromptMfa = userEnrolledFactors.length > 0
if (shouldPromptMfa && canPromptMfa) {  context.multifactor = {    provider: 'any',    allowRememberBrowser: false  }}

Accessing from the app#

You can also access Incognia risk assessment from the app. This is useful to further customize the flow of the user based on the assessment result.

The result is stored under idToken which is part of the decoded JWT token and can me accessed on onAuthentication callback as follows:

 WebAuthProvider.login(account)    .withParameters(loginParams)    .withScope("...")    .withAudience("...")    .start(this, object : Callback<Credentials, AuthenticationException> {        override fun onFailure(exception: AuthenticationException) {            Incognia.clearUserId()        }
        override fun onSuccess(credentials: Credentials) {            // Links this device to the account            val jwt = JWT(credentials.idToken)            Incognia.setUserId(jwt.subject)
            val riskSignal = jwt.getClaim("").toString()            if(riskSignal == "high_risk"){              // custom flow for high risk logins            }        }    })