How does the Verify Trust Solution Work?

Verify Trust is a modular cloud platform that is purpose-built to help organizations protect, detect, and mitigate the risks that are associated with digital identity theft and fraud. It also supports compliance requirements for organizations for user authentication. It is designed to offer a secure user experience that uses the user's digital trail and other data to minimize disruption to the user and build trust throughout the customer journey. Verify Trust relies on a multi-layered approach to identifying risk and trust levels that are associated with user identity.

• It enables the collection of intelligence information from the digital endpoints - that is, the organization’s mobile app, mobile browser, or desktop browsers - and combines the information with IBM® worldwide intelligence sources and complementary third-party intelligence sources.
• It evaluates insights based on these collections. For example:
  • Is this a new device?
  • Is access taking place from a new location for the user?
  • Is the device pending strong authentication?
  • Has the user been a victim of a phishing attack?
  • Is malware present?
  • Does the user's behavior match a known malware pattern?
  • Has the device been identified by Verify Trust as a known fraudulent device or as coming from a risky IP address?
  • Is the device using a hosting service?
  • Do velocity patterns identify two subsequent logins from different locations within a short timeframe or multiple access from a suspicious device within a short timeframe?
  • Is access taking place from a virtual machine?
  • Are the behavioral biometrics similar to those of the user?
  • Is there an anomaly in the transaction, such as a risky payee or an unusually high amount?
• It evaluates the risk logic rules in real time and provides a recommendation on how to handle the user's requested action.

Specifically, Verify Trust takes five context domains into consideration when evaluating risk:

1. User identity and known or asserted attributes.
2. Device information and device hygiene.
3. MFA feedback information for device authentication status analysis.
4. Environmental factors like location and IP networks.
5. Behavioral information that might include comparisons with historical data, application journey analysis, and behavioral biometrics.

When a user accesses the organization’s site, the user’s device and session attributes are remotely collected in addition to the associated account ID. This collected information is used to generate a complex device fingerprint, profile user behavior, tag fraudster devices, detect device spoofing, and identify access with compromised credentials.

Verify Trust also collects information from mobile app interactions to generate a trust/risk assessment for the session based on multiple parameters such as device ID, device risk data, previously compromised credentials, location data, and velocity checks, across web and mobile interactions. Verify Trust correlates this data in real time with other data sources such as real-time malware infection and phishing incidents, information from IBM user devices, and feedback from the organization, to conclusively identify criminal account access.

The existence of Verify Trust is not apparent to users. It works in the background, without the need for downloading executable files or plug-ins to the user's computer. For web applications, Verify Trust relies on a detection snippet, which is a small piece of code that is embedded into the webpage and runs on the user's browser. For mobile applications, the organization’s app uses the IBM Verify Trust Mobile SDK ("Verify Trust Mobile SDK"), which runs on the user's mobile device.

Verify Trust begins detection automatically, immediately after integration of the client-side snippet into your organization’s webpage or of the Verify Trust Mobile SDK into your organization's app. Verify Trust provides end to end application monitoring where synchronous risk calls are run in an automatic manner based on the user journey, and each risk call is evaluated with deterministic outcomes.

1. Endpoint access - endpoint user access the customer's website.
2. Page delivery - a page with the embedded snippet is returned.
3. Endpoint analysis - snippets communicate with the Verify Trust servers.
4. Communication with engine - Verify Trust API communicates with the detection engine.

Before allowing the end user to access the protected application or conduct any risky action that the user requests to do, the backend application initiates a consultation API call to Verify Trust for its real-time recommendation on the session state.

When such an API call is received, Verify Trust correlates information from the current session, previous sessions, and the IBM Security Verify Trust Global Intelligence Network. The response to this API call consists of:

1. A risk score that indicates the risk level identified in the session
2. A reason code that indicates a reason for a particular score
3. A recommendation for the requested action
4. A textual description of the reason for a particular recommendation
5. A list of all Verify Trust insights about the session.

The API call can optionally include extra information to provide greater context to the requested action.

Verify Trust Solution Flow

The Verify Trust solution consists of five phases:

1. Collect – The first phase provides the intelligence for the Verify Trust solution. It provides information from the web snippets and from the Verify Trust Mobile SDK. The intelligence provides browser information, device information, connection information, behavioral information, and information about the user’s network environment. It also includes third-party enrichment data such as information from the IBM research network and carrier intelligence, and data received from your IAM system reflecting the MFA results.
2. Analyze – This phase includes the security research and information that is provided by Verify Trust. Verify Trust creates a profile for the user based on the user’s history from different sources, such as threat intelligence, third-party data, and data from the user’s devices. As part of this research, threat analysis is combined with the data that is collected by the snippets and Verify Trust Mobile SDK to create automated models to detect:
   • User behavior anomalies
   • Device history anomalies
   • Device reputation and authentication status
   • User history (device and location)
   • Malware and remote access trojans (RAT) activity
   • Device history anomalies
   • Device hygiene (for example, malware)
   • Phishing
   • User history (device and location)
   • Device and location spoofing
   • Transaction anomalies
3. Assess – This phase combines information from the lower layers to provide insights into the identity of the user, by using machine learning, artificial intelligence (AI), and detection models. It uses information about what devices the user normally uses, where does the user normally connect from, and so on. The identity insights use the models that are provided by the security research layer to deliver distinct detection results for the elements that are detected by the security research layer. The identity insights are the building blocks from which Verify Trust business solutions are built and are all interconnected to feed and support each other.
4. Recommend – This phase describes how to use Verify Trust to provide a risk assessment result for each user and device based on the information that was collected, analyzed, and assessed in the three previous phases.
5. Mitigate – This phase describes how you can recover trust or mitigate risks that were identified during the first four phases of the Verify Trust flow. You can use multifactor authentication, dynamic linking for regulatory requirements and extra content for authentication, such as location and transaction information. You can also share this information with Verify Trust to establish a more holistic device profile in our systems, to increase detection, and reduce friction for users.

Supporting Integration with Third-Party IAM Providers

Verify Trust can help you to coordinate the risk assessment that you receive from the risk engine, and to your work with any third-party identity and access management (IAM) system. This allows you to perform accurate authentication for your users, and to leverage the capabilities of both tools in your eco-system. Verify Trust provides deployment information about how to integrate third-party IAM providers in your deployment.