Account takeover protection
Rupt offers a comprehensive account takeover protection solution. Rupt understands if the account is being accessed from a new device or geo-location, or if the account is being used in an unusual way. If so, Rupt will recommend that you challenge or block the login attempt.
This feature operates under the Zero Trust security model. This is why none of the information about the devices or accounts is seen by the client. The client only gets a hash array that can be used to complete the identification on the server side.
How to use Rupt for account takeover protection
Browser side
- Install the Rupt Browser SDK:
yarn add rupt
#OR
npm install rupt
- Include the Rupt Browser SDK on the authentication page:
import Rupt from "rupt";
Or include the Rupt Browser SDK from a CDN:
<script src="https://cdn.rupt.com/browser/latest/rupt.js"></script>
- Call the
getHashmethod from the browser SDK:
const fingerprintHash = await Rupt.getHash();
This returns a fingerprint hash array which can be used to identify the browser. This hash should be sent to the server side in your authentication flow. For more information, see retrieve a device hash.
Server side
- Include the Rupt Node SDK:
yarn add @ruptjs/core
#OR
npm install @ruptjs/core
- Initialize the Rupt Node SDK with your project API secret:
import Rupt from "@ruptjs/core";
const rupt = new Rupt("API_SECRET");
3.1. Call the evaluate method from the Node SDK using the login action and the fingerprint hash and other user information in your authentication flow:
const res = await rupt.evaluate({
action: "login",
user: "USER_ID",
fingerprint: REQUEST_HASH,
ip: "IP_ADDRESS",
email: "EMAIL",
phone: "PHONE",
metadata: {
key: "value",
},
});
curl -X POST https://api.rupt.com/v2/devices/evaluate \
-H "Authorization: Bearer API_SECRET" \
-H "Content-Type: application/json" \
-d '{"action": "login", "user": "USER_ID", "fingerprint": "REQUEST_HASH", "ip": "IP_ADDRESS", "email": "EMAIL", "phone": "PHONE", "metadata": {"key": "value"}}'
4.2. Rupt returns a response that looks like this:
{
"verdict": "challenge",
"fingerprint_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"reasons": ["new_device", "new_ip"],
"challenge_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
}
The verdict will be either challenge, allow, restrict, challenge_and_restrict, or deny. The challenge_id can be used to perform a two-factor authentication challenge using the send challenge code method. For more information, see send a challenge code.
5.3. If the verdict is challenge, a challenge_id is returned. Using the challenge_id, send the challenge code to the user and wait for the response:
const { challenge_id } = await rupt.sendChallengeCode(challenge_id);
curl -X POST https://api.rupt.com/v2/challenges/CHALLENGE_ID/send \
-H "Authorization: Bearer API_SECRET" \
-H "Content-Type: application/json"
This will send a challenge code to the user. For more information, see send a challenge code.
6.4. With the user provided challenge code, verify the response:
const { success } = await rupt.verifyChallengeCode(challenge_id, code);
curl -X POST https://api.rupt.com/v2/challenges/CHALLENGE_ID/verify \
-H "Authorization: Bearer API_SECRET" \
-H "Content-Type: application/json" \
-d '{"code": "123456"}'
For more information, see verify a challenge code.
7.5. Complete the challenge following verification. This will ensure that the user will not be asked to verify the challenge code again for the same reasons. You can use the completeChallenge method:
const { success } = await rupt.completeChallenge(challenge_id);
curl -X POST https://api.rupt.com/v2/challenges/CHALLENGE_ID/complete \
-H "Authorization: Bearer API_SECRET" \
-H "Content-Type: application/json"
For more information, see complete a challenge.