Authentication Intelligence

Objective

This comprehensive guide describes the actions an enterprise must complete to successfully deploy Authentication Intelligence in their system, test signals, and use the Authentication Intelligence dashboard.

Product Summary

Authentication Intelligence enables enterprises to extend the lifetime of login sessions for good users. A typical web login session usually expires in 30 minutes or an hour. Authentication Intelligence enables implicit login for eligible users, extending the session lifetime to weeks or months without reducing the security of the login session. This provides more conversions with frictionless authentication experience, a better user experience, and reduced customer support costs due to authentication friction.

Note: Native integration with BIG-IP is available starting with version 17.1. BIG-IP customers can use their existing UI to configure and control AP/AI For information, see https://techdocs.f5.com/en-us/bigip-17-1-0/big-ip-distributed-cloud-services-bd-ap-ai.html.

Setup and Deploy Authentication Intelligence

          _imp_apg_r_: {"c":"OUhHYVd4TW5nNXM2SUpmYw==ZZzzNnGYV1hlPlxGjYayN6ba..."}
        

          Output = Base64URL(IV) + Base64URL(CT + TAG)
        

          import base64
from cryptography.hazmat.backends
import default_backend
from cryptography.hazmat.primitives.ciphers import(
Cipher, algorithms, modes
)

def aes_decrypt(key, ciphertext, iv, tag):
	#Construct an AES - GCM Cipher object with the given key and a
	# randomly generated IV.
	decryptor = Cipher(
		algorithms.AES(key),
		modes.GCM(iv, tag),
		backend = default_backend()
	).decryptor()

	# Encrypt the plaintext and get the associated ciphertext.
	# GCM does not require padding.
	plaintext = decryptor.update(ciphertext) + decryptor.finalize()
	return plaintext

def pegasus_aes_decrypt(key, cipher):
	# base64 input is of type 'byte'
	if type(cipher) != bytes:
		cipher = cipher.encode()
	iv = base64.urlsafe_b64decode(cipher[: 24])
	cipher_and_tag = base64.urlsafe_b64decode(cipher[24: ])
	cipher_text = cipher_and_tag[: -16]
	tag = cipher_and_tag[-16: ]# call aes_decrypt to decrypt

	plaintext = aes_decrypt(key, cipher_text, iv, tag)
	print('plain text is %s' % plaintext)
	return plaintext

	# Simple test
	key = b '0123456789abcdef'
	cipher = 'dzZCQUVIaTBPa2FZYkdEQQ==_mzQrFAp-yiP_-pY9rH3aokwPotI'
	pegasus_aes_decrypt(key, cipher)
        

Troubleshoot and Escalation Process

The enterprise should reach out to the Customer Success Team.

Signal Descriptions

Personal infrastructure (device)

Authentication Intelligence uses a concept called Personal Infrastructure which consists of network signals, hardware signals, and software signals, all of which are assessed on a cross-enterprise basis. The Authentication Intelligence documentation uses the terms personal infrastructure and device interchangeably for convenience.

Personal Infrastructure (or device) has three components. Examples of data elements in each of these components include:

• Network signals: IP address and reputation, ASN, geolocation
• Hardware signals: GPU, number of cores, screen size
• Software signals: browser attributes, plugin list, font list

F5 assumes that these and other signals are actively spoofed by attackers. However, Authentication Intelligence never relies on these signals alone to deem a user eligible for session extension. Rather, it uses these signals in conjunction with many others to make its recommendations.

The combination of these signals allows F5 to make strong assertions about legitimate users returning to a given website while operating the same device they had previously used to log in.

Session extension: data used to make recommendation

Authentication Intelligence provides enterprises with a signal as to whether the visitor to a given website should be given an extended session (e.g. 30 days) or a default session (typically 30 minutes). This recommendation comes from three categories of information applied against a given device: history, uniqueness, and integrity. Authentication Intelligence identifies returning legitimate users by answering the following questions about a user and the device they are operating:

• History: Did this user, from this device, successfully log into the website previously?
• Uniqueness: Is this device operated by a single human user?
• Integrity: Does F5 believe this device and account are safe?

If the answers to all of the above are yes, then Authentication Intelligence considers a user for an extended session. The actual model behind session extension is much more complex than this. For example, F5 has model-derived parameters for how much history is required, and takes into account whether the user operates multiple devices. But this provides a high-level summary of the core elements of the system.

Cross-enterprise attestations

As a further check, Authentication Intelligence asks all of the questions above across multiple enterprises that use F5. This group includes approximately 40% of the B2C brands in the Fortune 500, so F5 evaluates history, uniqueness, and integrity across many different types of websites. Importantly, some websites are low-frequency/high-value, such as telco sites, and others are high-frequency/low-value, like quick-serve restaurant sites. A user who has only logged into enterprise A's website once in the prior year might have logged into other F5-protected websites many times in the same time period. Conversely, a device which supports a single user on enterprise A may support multiple users on some other website (this would constitute a “no” to question #2).

At no point does F5 ever share data across enterprises. Affirming or contravening data points simply change the final recommendation Authentication Intelligence makes for a given transaction.

At a very simple level, if any of the questions listed above are untrue on enterprise A’s website, or any other website that uses F5, then Authentication Intelligence will not recommend an extended session. In practice, F5’s model accounts for significant complexity, such as shared computers (hotels, libraries), family environments with multiple users, occasional sharing of a device, and other scenarios. F5 errs strongly on the side of conservatism in these and other scenarios.

Sample data elements of history, uniqueness, and integrity

The three categories described above, which allow Authentication Intelligence to determine when to extend sessions, have many components. Some of the components include:

Signal Testing

Enterprises should adjust their authentication experience based on F5’s signal. F5 provides two cookies configured to generate an eligible and ineligible status. Both cookies enable unit and integration testing.

Test Cookies

The Authentication Intelligence testing cookies are described below:

Dashboard

Overview

This section provides information about accessing and using the Authentication Intelligence Interface & Dashboard, and a brief summary of the visual components.

Access

For access and credentials to the Authentication Intelligence Interface & Dashboard, please contact your technical account manager.

Introduction

The Authentication Intelligence Interface & Dashboard allows customers to view data visualizations which illustrate how session length extensions help rescue customers and create business value.

Views

Authentication Intelligence supports two views: “Before extending sessions” and “After extending sessions”.

• “Before extending session” - This view is available before extensions are enabled. The purpose of this view is to show the value and potential success of recusing customers when sessions are extended.
• “After extending sessions” - This view is only available after extensions are enabled. The purpose of this view is to illustrate the real-world impact and benefit that extending sessions has made to your organization.

Note: Dashboards are built based on F5’s best understanding of enterprises’ deployment and website behavior. Analytical models may require updates if traffic routing or website login experience changes.

Interpreting Data

The Authentication Intelligence interface features three tabs: Conversions & Revenue, Dashboard, and Rescue Customers.

• Conversions & Revenue: Shows real or predicted changes in conversions and revenue over time when session length is modified.
• Dashboard: Dive into user login and conversion behavior when enjoying longer sessions.
• Rescue Customers: Shows user login friction and how would increase session length help frustrated users.

Note: Data will not be present in the Authentication Intelligence interface until 1JS is injected into your organization's web flows and have compliant history for at least 30 days.

You can control the range of data displayed by using the date range picker and the Display Interval menu (when shown).

• Select the date range of interest, and pick a display interval upon which data aggregation will execute.

Before extending sessions

1JS is not present

If your organization hasn’t extended sessions and hasn’t injected 1JS into its web flow, the Authentication Intelligence tabs will be empty. You might see placeholder data like in the screenshot below:

1JS is present

If your organization has injected 1JS into its web flow, but not extended sessions yet, then the Rescue Customers tab will be populated with some data. (The Conversions & Revenue and Dashboard tabs will remain empty until session length is extended.)

• “Users Who Experienced Login Friction”: Includes your organizations customer login data. The component will demonstrate the percentage of customers who experienced login friction including those customers who were never able to log in.
• “Percentage of Users That Can Be Spared Friction”: Percentages of users that can be rescued from login pain - sorted by friction type.
• “Volume of Users That Can Be Spared Friction”: Volumes (raw numbers) of users that can be rescued from login pain - sorted by friction type.
• “Daily Login Friction”: Daily report of known good users experiencing unnecessary pain from login challenges.

After extending sessions

Conversions & Revenue Tab

After sessions are extended, the following components are filled with data:

• “Conversions Over Time”: The amount of additional conversions over a certain period of time that resulted from extending session length.
• “Revenue Over Time”: The amount of additional revenue earned over a certain period of time that resulted from extending session length. "Revenue Over Time" is equal to "Conversions Over Time" multiplied by average transaction amount input by dashboard users.

Dashboard Tab

• “Conversion Lift Over Time”: Compares real-life conversion rates between your users who benefited from session extension and a control group.
• “Users Enjoying Silent Reauthentication”: The amount of users who benefitted from session extension.
• “User Channels”: Users who benefited from session extension by device type (Desktop Web or Mobile Web).

Rescue Customers Tab

• “Rescue Customers”: Summarizes the current rate of users who abandoned logins and experienced friction, and the potential benefit your organization can earn if session lengths are extended over a longer period. The component makes it easy to increase session length and get extra help via hyperlinks in the interface.