Recommendations

You can get a risk recommendation for a sensitive action your users want to perform in a risk moment in order to assess the risk level and respond with the suggested mitigation strategy when needed. Detection and Response code snippets are used to report telemetry and user actions, and you can obtain a recommendation for any action you reported using the Recommendations API. This describes the various recommendations that may be returned, and how you'd use them to protect accounts based on the use case.

Action types

You can ask for recommendations for the following types of actions, performed as part of the customer journey:

login
register
transaction
checkout
password_reset
logout
account_details_change
account_auth_change
withdraw
credits_change

Custom action types

For efficient data analytics, gathering detailed information on the context of each recommendation-triggering action can be beneficial. For example, if your app supports various login methods (e.g. password, OTP, or biometric-based), tracking recommendations for each login method is more valuable than grouping them under a generic login category. Therefore, to help you gather refined insights to better monitor your app, Mosaic allows you to report and track recommendations for custom actions (Admin Portal > Detection and Response > Configuration > Actions) and organize recommendations in lists.

Essentially, custom actions are aliases you establish as variations of the standard action types. For example, to monitor each login method—as mentioned in the example above—you could create custom actions such as password_login, otp_login, or biometric_login as aliases of the standard login action type.

To obtain recommendations for custom actions, specify them as the action type when triggering action events. Mosaic's ML model is used to classify custom actions and verifies the match between the triggering action and the configured custom action for each event. For more about reporting actions to trigger recommendations, see our Detection and response guides.

Note

Once you create custom actions, our detection engine refines its ability to detect fraud tactics as user behavior varies, for example, between two different login flows. This provides flexibility in responding to nuanced fraud patterns within varying contexts.

Recommendation types

Recommendations tell you how to respond to your user's request to access your application. We create them in real-time by applying our advanced, ML-driven detection capabilities to the given context. This allows us to suggest an accurate approach that protects both your application and the user experience. It also means that we handle all the complexity, so all you need to do is act according to the recommendation we provide.

The following types of recommendations may be returned:

Type	Description
`trust`	Trust the activity, extend the session and lower friction (e.g., by not requiring two-factor authentication). This isn't returned in the context of unknown users and devices (e.g., password reset or registration) since it usually relies on data collected over time.
`allow`	Low risk and so no risk mitigation is needed; proceed with the regular flow.
`challenge`	Risk mitigation is required by providing an appropriate challenge based on the use case
`deny`	There's a high risk of malicious activity. Don't proceed with the action, and return a generic error message since you don't want to provide any info the attacker can use to adapt their approach or further their attack.

Challenges

Risk mitigation can be performed by providing a challenge to the user that elevates the trust. Different challenges are more suitable for different use cases. Below are some examples of how you can challenge users based on the action they want to perform.

Action	Challenge
`login`	Second-factor authentication (preferably using strong biometrics).
`register`	Additional means such as ID verification or even an offline manual review.
`checkout`	Second-factor authentication (preferably using strong biometrics), revoke payment method for credit cards or third-party payment providers, re-enter CVV for cards on file, 3DS for transactions based on credit cards, ID verification for high-security cases, or manual review for high-cost checkout
`password_reset`	Email or SMS verification, or have the user contact a Call Center to manually review

Reasons

When a recommendation is returned, the reasons are also provided to explain why the recommendation was returned and provide transparency. The calculation of the risk score also relies on the combination of reasons that contribute to the risk assessment. With filters, you can assess risk over time and track past recommendatons, for example, check previous recommendation reasons issued for the same device.

Top reasons are listed in the recommendation details. The first reason in the list is considered to be the most important and has more weight over others. Hover over each reason to see the detected reason codes. You can fine-tune the weight allocated to each reason in this calculation (see Fine-tune detection sensitivity) or enforce rules overriding recommendations. Below are some of the reason examples:

Reason code	Description
`BEHAVIOR_INHUMAN_INPUT`	Indicates a non-human interaction has been detected due to very low variance between typing actions.
`DEVICE_IMPOSSIBLE_TRAVEL`	The device's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US.
`PROFILE_LOCATION_FAMILIAR`	The user location is the same for more than 30 days.

The reasons might be empty if there is no data matching risk or trust indicators—for example, for a new user account with no geolocation or network risks detected. For recommendations impacted by rules, the top reason will be a recommendation enforced by a rule (for example, Allow).

Risk signals

Risk signals provide insights on specific indicators such as a proxy or VPN connection being used. You can check what indicators have been verified as well as their state. Unlike reasons that take into account a combination of telemetry data, signals are discrete and focus on specific risk factors.

Note

Recommendations are all you need to make your decisions. You don't need to act on the risk signals.

Context

The context identifies the environment and the setup in which the action occurred, for example, the browser name and version, application name, IP address of the country, and other characterics. Device identifiers included in the context help attribute and recognize devices based on their unique characteristics (device fingerprint, device ID, and device public key).

Transaction data

Transaction data contains additional details related to payment actions, for example, the payee, currency, and amount.

Example

Here's an example of a challenge recommendation:

Copy

Copied

{
  "id": "385cd06b527a974982e0560b67123fe2b1b5a39fd98d8d32cdbaca8ec16fd62d",
  "issued_at": 1648028118123,
  "recommendation": {
    "type": "challenge"
  },
  "risk_score": 73.2,
  "context": {
    "action_id": "885cd06b527a97498200560b67123fe221b5a39fd98d8d22cdb7ca8ec16ed62d",
    "action_type": "login",
    "action_performed_at": 1648028118123,
    "device_id": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIwZGE4ZmZjYy01NmE1LTRmMjgtYThkZi04NDY5MmYwYThmYTAiLCJ2ZXJzaW9uIjoxLCJpYXQiOjE2NTU3OTYzODQ1MzF9.TeGoqlCe_6eWzl9a3-vAumG4Xap8WjwsgcO2-DzGtLg",
    "device_fingerprint": "a3c8f5ea75cb65fcdc3d0452b985f957a46e24afdc912e93dac1e115ecf408e5",
    "device_public_key": "xbrgczakydtjkdndzaaa",
    "device_timestamp": 1726733429054,
    "user_id": "5c4afa75c",
    "application_id": "ece93f4",
    "device_timezone": "America/Los_Angeles",
    "device_platform": "desktop",
    "os_name": "macOS",
    "browser_name": "Chrome"
  },
  "risk_signals": {
    "device": {
      "incognito": false,
      "tampered": false,
      "emulated": true,
      "spoofed": false,
      "tz_mismatch": true
    },
    "network": {
      "vpn": false,
      "tor": true,
      "hosting": false,
      "proxy": true,
      "anonymizer": false
    },
    "behavior": {
      "typing_velocity": 0.867,
      "input_method": [
        "is_paste"
      ],
      "no_user_interaction": true
    }
  },
  "reasons": [
    "BEHAVIOR_BOT",
    "IP_RISKY_REPUTATION",
    "DEVICE_SUSPICIOUS_PLATFORM",
    "PROFILE_DEVICE_NEW"
  ]
}