How to Use Device and Location for 2FA

Leverage contextual information to implement intelligent authentication workflows in the Gluu Server.

Two-factor authentication (2FA) is proven to increase account security, but it also adds friction to the user experience.

Frequently 2FA is best employed only when there’s a reasonable likelihood of fraud–for example, if the user’s device or IP address is unrecognized.

To implement custom policies and logic for authentication in the Gluu Server, you can use person authentication scripts. In fact, this specific policy, i.e. checking for unrecognized devices and locations, is supported OOTB in our self-service 2FA product, Casa.

But this type of policy can be implemented in any authentication script. And in this short tutorial, we’ll dissect the Casa interception script to show how you can apply similar policies in your own scripts. 

Device details

The default Gluu login page template uses the platform detection library, bestie.js, to gather operating system and browser details (i.e. device details) for each user authenticating at the service:

In the script, the user’s device data is grabbed and stored in a hidden form field:

 Which is then parsed by the interception script:

Now we have the user’s device information.

Geo-location details

To get the user’s geo-location, we call the IP-API service in the script:

And now we have the user’s country and city available in the server for further processing..

Enforcing 2FA policies

Now we can use the above data to enforce 2FA policies.

In the Casa script, you can see the device and location-related 2FA policies here and here, respectively:

Upon a successful login, the newly trusted device and/or location data is added to the attribute oxTrustedDevicesInfo:

So now, if the policy is to only enforce 2FA when an unrecognized device or location is detected, the user won’t be prompted again when authenticating from the same device and/or location. 

And that’s it! 

Put this strategy to use in one of your authentication scripts to increase security without negatively impacting user experiences.

Have you deployed Gluu?