Applying RBA Rules in the Console

Objective

After completing this lesson, you will be able to discover the various criteria and actions that can be applied to login attempts using RBA rules to add an extra layer of account security to your site.

What is Risk-Based Authentication?

Risk-Based Authentication (RBA) offers a dynamic approach to enhance account security by evaluating the risk associated with each login attempt and applying appropriate authentication challenges

What is Risk-Based Authentication? The answer is three interconnected concepts: Added Account Security, Calculate Risk Level, and Authentication Challenges.

Risk-Based Authentication (RBA) is a crucial security measure that adds an extra layer of protection to your site against malicious attacks and hacking attempts. It works by assessing the risk level associated with each login attempt and challenging users based on that risk.

RBA Key Features

Key Features: Template-Based Rule Components, Account Takeover Protection, Accounts Policy Object, Impossible Traveler, Unknown Location Notification.
  • Template-Based RBA Rule Components – You can create new RBA rules based on existing templates or build custom rules tailored to your specific needs.
  • Account Takeover Protection (ATO) – Helps identify and protect against malicious activity while leaving a frictionless user experience for legitimate users.
  • Impossible Traveler – Blocks logins from locations that are impossibly far from the user’s previous login within a short timeframe.
  • Accounts RBA Policy Object – Defines the Risk Based Authentication policy for the site or site group.
  • User-Enables TFA - Gives users the option, on a case-by-case basis, to enable Two-Factor Authentication (TFA) for their account.
  • Unknown Location Notification – If a user logs in from a country they’ve never logged in from before, the site policy may require a notification be sent with a link to recover a user's account by resetting the password.

RBA Rule Types

RBA Rule Types have two types: Global Rules and Account Rule Sets

RBA includes two primary types of rules for determining the risk level and its outcomes:

  • Global Rules apply to all login attempts across your site or site groups.
  • Account Rule Sets apply to individual accounts and ensure a more secure authentication for accounts with elevated permissions, such as site administrators.

A Policy rule type is also available to provide customer notifications in specific scenarios such as impossible traveler or reset password.

SAP Customer Data Cloud provides several predefined rules of each type and allows you to construct your own custom rules.

For more information, refer to the Risk-Based Authentication documentation in the SAP Help Portal.

RBA Security Options

RBA Security Options: Requiring a CAPTCHA, Two-Factor Authentication, and Lockout/Reject Users.

SAP Customer Data Cloud allows you to apply the following security methods/options to a login attempt:

  • CAPTCHA– Requires the users to pass a CAPTCHA challenge, helping to prevent account hacks via automated login attempts.
  • Two-Factor Authentication (TFA) – Requires that the users pass through two steps of authentication: the password when initially logging in, and an authentication code received on their mobile device.
  • Lockout – Locks out the user or IP address for a specified duration.

Multi-factor authentication can also be implemented via scripting, although it is not supported out-of-the-box.

For more information, refer to the RBA Security Methodsdocumentation in the SAP Help Portal.

RBA Risk Factors

Dialog inviting customer to select an authentication method. Phone is selected, and a text-entry box awaits the verification code sent to the customer's phone. The risk factors listed are: Failed Number of Login Attempts, New Device Login, Percentage of Failed Logins, First Login from a Different Country, and Unknown Location Login.

Several events can trigger a requirement for higher-level authentication:

  • Failure to log in after a specified number of attempts from a specific account or IP address
  • Percentage of failed logins triggered after a specified number of attempts
  • New device used for login
  • First login from a different country or region
  • Login from an unknown location

For more information, refer to the RBA Risk Factors documentation in the SAP Help Portal.

Authentication Methods Push Two-Factor Authentication

Flow starting at login dialog, where customer enters identifier to log in, moving to second dialog where customer selects between available authentication methods: password or Push Notification. When they select Push Notification, they are shown another dialog to resend the notification; at the same time, a dialog appears on their smartphone asking them to Approve or Deny the request. When the customer clicks Approve, they are logged in.

Overview

Passwordless login is based on a push notification received on a device carrying a valid login session for the customer.

Push Authentication passwordless login is part of the  SAP Customer Data Cloud Customer Identity offering. It allows your customers to authenticate on their mobile phones by confirming a push notification instead of using their password to log in.

The Push Authentication flow is as follows: 

  1. Customer registers to your website with an email or username and creates a password (standard registration, not shown in the diagram above). 
  2. Customer logs into your app on their mobile phone with the same identifier (email or username).
  3. Customer opts for push notifications from inside the mobile app.
  4. The next time the customer logs in to your website, they can choose whether to authenticate with a password or a push notification. 
  5. If the customer chooses push notification, a notification is sent to their mobile phone. 
  6. After confirming the notification, the user is authenticated on your website. 

For more information, refer to the Push Authentication documentation in the SAP Help Portal.

RBA Rules Configuration

  1. To configure RBA rules, navigate to the Risk Based Authentication page of your SAP Customer Data Cloud Console.

    Here you can also Enable or Disable existing Rules.

    Select the Create New Rule button from the RBA Rules section.

    Screenshot of the Risk Based Authentication tab of the Security page. Below the Account Takeover Protection toggle, the page lists existing RBA Rules. A create button allows the creation of more rules.
  2. On the Rule Flow page, enter the Rule Name, and its Type. Choose the Flow the RBA rule will run on, pick one of the available Templates for a quick start (if available). In this example we decided to use "On multiple failed login attempts > lockout IP", but you can pick any other template, or use no template at all.

    Choose Create.

    Create RBA Rule dialog. Emphasis placed on the Name field, the Rule Type (Global Rule or Account Rule Set), the rule to apply on Password Login, and a template should be used: On multiple failed login attempts, lockout IP.
  3. On the Rule page, choose the Criteria to edit its existing ParametersScreenshot of the On Multiple Failed Login Attempts > Lockout Ip flow. The condition is highlighted, where the number of failed login attempts can be specified, the calculation can be based on IP or Account, and the reset interval can be defined.
  4. After that, select the Action to adjust its default Parameters. Choose Save.Screenshot of the On Multiple Failed Login Attempts > Lockout Ip flow. The action is highlighted, where the number of seconds the lockout should remain active can be set.
  5. Optionally, you can replace an existing Criteria or Action by erasing it first (choose the Trash icon inside its card), then choosing the + Add Criteria or + Add Action buttons.

    These are some of the available Criteria that can be selected:

    Available criteria shown are: Multiple Failed Logins, Percent of Failed Logins, High Risk Score, NPI - Amount of Failed Logins, NPI - Percent of Failed Logins, and User's IP Address.

    And here are some of the available Actions that can be selected:

    Available actions shown are: Enforce Captcha on IP, Lock IP for seconds, Enforce Two-Factor Authentication (TFA), Enforce Captcha on Account, Lock Account for seconds, and Block Request.
  6. Optionally, you can add up to 3 criteria by repeatedly choosing the + Add Criteria button, and combine them with And or Or Operators. The And Operator means that all Criteria need to be true to execute the Action. The Or Operator means any of the Criteria that evaluates to true will trigger the Action.Flow of On Multiple Failed Login Attempts > Lockout Ip is shown, with two criteria (500 Multiple Failed Logins and High Risk Score – Score Threshold 0.7) related with AND, and an action: Lock IP for 600 seconds.

    Note: having multiple Actions is not supported. You can create multiple Rules each with different Actions as workaround.

For more information, refer to the RBA Configuration documentation on the SAP Help Portal.

Account Take-Over Protection

Account Takeover Protection with AI provides Enhanced security, Adaptive authentication, Location-based risk awareness, and Swift detection and resolution.

The SAP Customer Data Cloud Customer Identity and Access Management (CIAM) for B2C and B2B protect account takeover using AI and ML capabilities. By implementing static rules and leveraging advanced protection measures, businesses can safeguard customer identities, thwart attacks from malicious actors, and ensure a seamless and secure user experience.

ATO Provides:

  • Enhanced security: Using AI/ML and built-in security measures reduces the risk of data hacks and unauthorized access.
  • Adaptive authentication: providing a frictionless experience for legitimate users while adding deterrents for malicious actors.
  • Location-based risk awareness: The system identifies high-risk attack locations for targeted security measures.
  • Swift detection and resolution: Attacks are quickly detected and resolved, minimizing potential damage.

ATO will provide an additional risk score that can trigger rules in RBA. 

ATO Protection is currently unavailable for Global Sites/Groups use.

For more information refer to the Account Takeover Protection (ATO) documentation in the SAP Help Portal.

ATO Protection Using AI

Diagram showing first a flow without AI: Enforce strong password policies, Implement multi-factor authentication, Monitor user activity, Analyze login patterns, Implement session management, Regular Security Audits, Address vulnerabilities, Educate user on security best practices, and safe password practices. Then do it again. By contrast, a second flow, with Embedded AI, is shown, starting with Implement intelligent security measures, and while the system is monitoring and blocking suspicious IP addresses, embedded AI is tasked with Advanced user behavior analysis, Anomaly detection, Risk-based authentication, and Real-time threat intelligence. The flow then moves to Continuous learning and adaptation.

AI-driven account takeover protection enhances security measures through advanced user behavior analysis, anomaly detection, risk-based authentication, and automated response, improving detection and prevention of account takeover attempts.

  • The process of account takeover protection before AI relied on manual analysis and reactive measures, resulting in slower detection and response times to unauthorized access attempts.
  • With AI-driven account takeover protection, the process becomes more efficient and proactive as advanced algorithms analyze user behavior, detect anomalies, and automatically respond to potential threats.

Note

The AccountTakeoverProtection (ATO) risk scoring mechanism is deactivated by default. Activate this setting in the SAP Customer Data Cloud admin console.

Summary

  • RBA enhances account security by assessing risk levels of login attempts.
  • You can configure RBA rules using templates or create custom rules.
  • RBA offers various security options like CAPTCHA, TFA, and account lockouts.
  • Account Takeover Protection leverages AI/ML to safeguard against malicious attacks.
Learning
SAP FacebookSAP YoutubeSAP LinkedIn