You can get a risk recommendation for a sensitive action your users want to perform in a risk moment in order to assess the risk level and respond with the suggested mitigation strategy when needed. Detection and Response code snippets are used to report telemetry and user actions, and you can obtain a recommendation for any action you reported using the Recommendations API. This describes the various recommendations that may be returned, and how you'd use them to protect accounts based on the use case.

Action types

You can ask for recommendations for the following types of actions, performed as part of the customer journey:

  • login
  • register
  • transaction
  • checkout
  • password_reset
  • logout
  • account_details_change
  • account_auth_change
  • withdraw
  • credits_change

Recommendation types

Recommendations tell you how to respond to your user's request to access your application. We create them in real-time by applying our advanced, ML-driven detection capabilities to the given context. This allows us to suggest an accurate approach that protects both your application and the user experience. It also means that we handle all the complexity, so all you need to do is act according to the recommendation we provide.

The following types of recommendations may be returned:

Type Description
trust Trust the activity, extend the session and lower friction (e.g., by not requiring two-factor authentication). This isn't returned in the context of unknown users and devices (e.g., password reset or registration) since it usually relies on data collected over time.
allow Low risk and so no risk mitigation is needed; proceed with the regular flow.
challenge Risk mitigation is required by providing an appropriate challenge based on the use case
deny There's a high risk of malicious activity. Don't proceed with the action, and return a generic error message since you don't want to provide any info the attacker can use to adapt their approach or further their attack.


Risk mitigation can be performed by providing a challenge to the user that elevates the trust. Different challenges are more suitable for different use cases. Below are some examples of how you can challenge users based on the action they want to perform.

Action Challenge
login Second-factor authentication (preferably using strong biometrics).
register Additional means such as ID verification or even an offline manual review.
checkout Second-factor authentication (preferably using strong biometrics), revoke payment method for credit cards or third-party payment providers, re-enter CVV for cards on file, 3DS for transactions based on credit cards, ID verification for high-security cases, or manual review for high-cost checkout
password_reset Email or SMS verification, or have the user contact a Call Center to manually review


Along with the recommendation, reasons are provided to explain why the recommendation was returned and provide transparency. The prefix of the reason indicates the category of reason, and not every reason is applicable to each action and use case. The reasons are relevant for all platforms (Web, Android, iOS) unless stated otherwise.


Recommendations are all you need to make your decisions. You don't need to act on the reasons.

Here are some examples of reasons that may be provided (which may change over time):

Reason Description
BEHAVIOR_BOT Indicates bot activity, such as very fast typing speed or no mouse movement before clicks.
BEHAVIOR_SUSPICIOUS_ATTR Indicates suspicious behavior, such as no apparent input during text insertion or copy-pasting.
DEVICE_ACTION_VELOCITY A high number of actions per time period detected on the device, which indicates abnormal or bot activity.
DEVICE_BOT Indicates bot activity, such as use of a headless web browser or automated interactions.
DEVICE_COOKIE_REUSED Indicates cookie hijacking as an identical device ID was sent from more than one device.
DEVICE_EMULATOR Indicates that a device emulator is being used, such as unexpected mobile attributes or the browser attributes do not match the device's OS.
DEVICE_OLD_VERSION An old, less secure browser version is being used.
DEVICE_ROOTED (iOS and Android only) Indicates that a device has been unlocked and jailbroken to allow access to its configuration.
DEVICE_SPOOFED The device is being spoofed (trying to hide its real identity), as indicated by the use of a modified user agent.
DEVICE_SUSPICIOUS_ATTRIBUTE A suspicious device attribute was detected, such as browser attributes that do not match the device's graphic card.
DEVICE_SUSPICIOUS_NETWORK The browser's timezone does not match the timezone of the source IP's country, which may indicate browser location spoofing.
DEVICE_SUSPICIOUS_VELOCITY Two or more users are using the same device.
DEVICE_TAKEOVER Indicates that a device is being controlled remotely, such as anomalies in user interactions.
DEVICE_TAMPERED (iOS and Android only) Indicates that a device software or hardware has been modified, for example, cloaning apps are deployed or a device has been rooted.
DEVICE_VM Indicates use of a VM, such as when an emulated GPU is detected, there are an odd number of device cores, or the device's screen resolution is unusual.
IP_ACTION_VELOCITY A large number of actions originated from the same IP.
IP_COUNTRY_BLOCKED The device's IP is from a blocked country.
IP_IS_BIZ The device's IP is registered to a business organization.
IP_IS_VPN The device might be using a VPN.
IP_RISKY_REPUTATION Indicates a suspicious IP, such as use of the Tor network or IPs regarded as unsafe.
PROFILE_ACTIVITY_ANOMALY The user activity is considered anomalous for the user’s profile.
PROFILE_DEVICE_ANOMALY The device attributes are considered anomalous for the user’s profile.
PROFILE_DEVICE_FAMILIAR The device is considered to be familiar (for the user profile).
PROFILE_DEVICE_FAMILIAR_MODEL The device model (for example, iPhone 13) is considered to be familiar (a new device that is the same model as a known user's previous device).
PROFILE_DEVICE_NEW The device is considered to be new (for the user profile).
PROFILE_IMPOSSIBLE_TRAVEL The device's location changed faster than possible, for example, a device is located in the UK 15 minutes after it was located in the US.
PROFILE_IP_FAMILIAR The device's IP is considered to be familiar (for the user profile).
PROFILE_LOCATION_ANOMALY The user location is considered anomalous for the user’s profile.
PROFILE_LOCATION_NEW The device's location (determined by IP) is considered to be new.
PROFILE_NETWORK_ANOMALY The user network is considered anomalous for the user’s profile.

Risk signals

Risk signals provide insights on specific indicators such as a proxy or VPN connection being used. You can check what indicators have been verified as well as their state. Unlike reasons that take into account a combination of telemetry data, signals are discrete and focus on specific risk factors.


Recommendations are all you need to make your decisions. You don't need to act on the risk signals.


Here's an example of a challenge recommendation:

  "id": "385cd06b527a974982e0560b67123fe2b1b5a39fd98d8d32cdbaca8ec16fd62d",
  "issued_at": 1648028118123,
  "recommendation": {
    "type": "challenge"
  "risk_score": 73.2,
  "context": {
    "action_id": "885cd06b527a97498200560b67123fe221b5a39fd98d8d22cdb7ca8ec16ed62d",
    "action_type": "login",
    "action_performed_at": 1648028118123,
    "device_id": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIwZGE4ZmZjYy01NmE1LTRmMjgtYThkZi04NDY5MmYwYThmYTAiLCJ2ZXJzaW9uIjoxLCJpYXQiOjE2NTU3OTYzODQ1MzF9.TeGoqlCe_6eWzl9a3-vAumG4Xap8WjwsgcO2-DzGtLg",
    "device_fingerprint": "a3c8f5ea75cb65fcdc3d0452b985f957a46e24afdc912e93dac1e115ecf408e5",
    "user_id": "5c4afa75c",
    "application_id": "ece93f4",
    "device_timezone": "America/Los_Angeles",
    "device_platform": "desktop",
    "os_name": "macOS",
    "browser_name": "Chrome"
  "risk_signals": {
    "device": {
      "incognito": false,
      "tampered": false,
      "emulated": true,
      "spoofed": false,
      "tz_mismatch": true
    "network": {
      "vpn": false,
      "tor": true,
      "hosting": false,
      "proxy": true,
      "anonymizer": false
    "behavior": {
      "typing_velocity": 0.867,
      "input_method": [
      "no_user_interaction": true
  "reasons": [