Escolar Documentos
Profissional Documentos
Cultura Documentos
(On-Premise) 7.1
Workflows and Processes Guide
Contact Information
Go to the RSA corporate website for regional Customer Support telephone and fax numbers:
www.emc.com/domains/rsa/index.htm
Trademarks
RSA, the RSA Logo, and EMC are either registered trademarks or trademarks of EMC Corporation in the United States
and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC
trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE
Copyright 2013 EMC Corporation. All Rights Reserved. Published in the USA.
July 2013
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
Preface
Preface 3
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues. It also includes the supported
platforms and work environments for platform certifications. The latest version of
the Release Notes is available on RSA SecurCare Online at
https://knowledge.rsasecurity.com.
Security Best Practices Guide. Provides recommendations for configuring your
network and RSA Adaptive Authentication (On-Premise) securely.
Web Services API Reference Guide. Describes RSA Adaptive Authentication
(On-Premise) web services API methods and parameters. This guide also
describes how to build your own web services clients and applications using web
services API to integrate and utilize the capabilities of Adaptive Authentication
(On-Premise).
Whats New. Highlights new features and enhancements in
RSA Adaptive Authentication (On-Premise) 7.1.
Workflows and Processes Guide. Describes the workflows and processes that
allow end users to interact with your system and that allow your system to interact
with RSA Adaptive Authentication (On-Premise).
4 Preface
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
Contents
Preface................................................................................................................................... 3
About This Guide................................................................................................................ 3
RSA Adaptive Authentication (On-Premise) Documentation.......................................... 3
Support and Service ............................................................................................................ 4
Before You Call Customer Support............................................................................. 4
Contents 5
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
6 Contents
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
Contents 7
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
8 Contents
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
Types of Workflows
Main Workflows. Allow end users to safely sign in and make transactions in your
system.
Dependent Workflows. Allow end users to perform additional activities in your
system and allow you to interact with the Adaptive Authentication system.
Customer Service Workflows. Allow customer support representative to help
users with accounts.
Credential Workflows. Specific to different credential types. For more
information, see Chapter 9, Extra Credential Workflow.
Main Workflows
The following table describes the main workflows that allow end users to safely sign
in and make transactions in your system.
Dependent Workflows
The following table describes dependent workflows that support the main workflows.
These workflows allow end users to perform additional activities in your system and
allow you to interact with the Adaptive Authentication system.
Sign in Types
The table below describes sign in types that relate to the various workflows.
Sign in and Risk-based Authentication Authenticates users based on several factors, such as
network information, user information, positive device
identification, and user profiling.
Users with high risk scores are challenged.
(Optional) High-risk user logons can be flagged for
review in the Case Management application by
defining the policy action of the rule in the Policy
Management application. For more information, see
the Back Office Users Guide.
Sign in and Positive Device Identification Only Authenticates users based primarily on device binding.
Other authentication factors include network
information and user information.
Users who use a new device are often challenged.
Users can register (bind) devices after they
successfully pass the challenge.
Transaction Behaviors
The table below describes transaction types that relate to the various workflows.
Transaction Authentication Challenges users when there are suspicious transaction events.
Both logon and payment events can be received.
(Optional) Case creation based on institution policies.
2 Authentication Workflow
The authentication workflow allows a user to log on or perform an activity with a web
application portal. The RSA Adaptive Authentication (On-Premise) system
authenticates the user to determine if the user poses a potential risk.
If the risk score is low, the user is allowed to continue.
If the risk score is high, one of the following occurs:
The user is prompted to enter extra credential information to prove identity.
The user is denied access to the system if the risk is assessed as too high.
Potentially risky logons or transactions are flagged based on the action in the triggered
policies. The flagged events are sent to the Case Management application where the
events can be reviewed by fraud analysts. For more information, see the Back Office
Users Guide.
Preconditions:
The user state is VERIFIED.
The user has an account with the website of the organization. The user is enrolled
and is verified.
2: Authentication Workflow 13
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
The following figure illustrates the general message flow during an authentication
procedure. Out-of-band email authentication has been used in this example.
6. Calculate the
risk score and
apply policies
7. Respond with the recommended action and
available challenge methods
(In this example, high risk score is generated and the user is challenged)
8. Call Challenge
Authentication Workflow:
1. The user requests to log on or initiates a transaction to the organizations web
application.
2. The organizations web application displays the logon or transaction page.
3. The data-gathering JavaScript executes as the logon page loads and collects the
device data, like the IP address, browser information, fingerprint,
deviceTokenCookie, and deviceTokenFSO.
4. The user enters the logon or transaction details and clicks the submit button. The
device data is sent along with the event data.
5. The organization verifies the user credentials.
14 2: Authentication Workflow
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
6. The web application of the organization sends an analyze request message. The
device data is passed along with the user details.
The analyze request must include the device data, browser information, IP
address, user name, user type, action type, and event type.
For sample SOAP message, see Analyze SOAP Request for OOB Email on
page 107.
7. The information in the analyze request is processed by the RSA Risk Engine, and
a risk score is calculated.
8. The Adaptive Authentication system sends an analyze response with the
recommended policy action and the options for secondary authentication. In this
example, challenge questions are used.
For a sample SOAP message, see Analyze SOAP Response for OOB Email on
page 108.
9. The website sends a challenge request to retrieve information for secondary
authentication. In this example, secondary authentication is done by challenge
questions.
The challenge request must include the device data, browser information, IP
address, sessionId, transactionId, and challenge details.
For sample SOAP message, see Challenge SOAP Request for OOB Email on
page 109.
10. The Adaptive Authentication system sends a challenge response with the
questions.
For a sample SOAP message, see Challenge SOAP Response for OOB Email
on page 110.
11. The web application of the organization prompts the user for secondary
authentication.
12. The user enters the answer and clicks the submit button.
The device forensic data must be sent along with the user's answers.
13. The web application of the organization sends the authenticate request message.
The device forensic data is passed along with the users answers.
The authenticate request must include the device data, browser information, IP
address, sessionId, transactionId, and answer to the challenge.
For a sample SOAP message, see Authenticate SOAP Request for OOB Email
on page 111.
2: Authentication Workflow 15
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
14. The Adaptive Authentication system sends an authenticate response with the
authentication status. In this example, the user is successfully authenticated.
For a sample SOAP message, see Authenticate SOAP Response for OOB Email
(Success) on page 113.
15. The secure page is displayed to the user. (Optional) The user may choose to bind
the device.
16 2: Authentication Workflow
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
Preconditions:
The user state is VERIFIED.
The user has an account with the website of the organization.
The following figure illustrates the message flow during the logon monitoring
procedure. Each step involved in this procedure is described in the sections that
follow.
1. Request logon
4. The user enters the user credentials and clicks the submit button. The device
forensic data is sent along with the user credentials.
5. The organization verifies the user credentials.
6. If the user authentication is successful, the website of the organization sends the
analyze request message. The device forensic data is passed along with the user
details.
The following elements must be included in the SOAP message:
ANALYZE request:
genericActionTypes=GET_USER_STATUS/GET_PHRASE devicePrint,
ipAddress, userName, userType, eventType=SESSION_SIGNIN,
riskType=ALL
Note: If the user authentication fails, your application must call the notify
request and pass the user and device forensic data to the Adaptive
Authentication system for anti-phishing purposes. For example,
NOTIFY request: eventType=FAILED_LOGIN_ATTEMPT,
devicePrint, ipAddress
7. The Risk Engine processes the information in the analyze request and applies
policies.
8. The Adaptive Authentication system sends an analyze response with the result.
Some of the following analyze response elements are returned in the SOAP
message:
ANALYZE response: deviceToken, actionCode=ALLOW
9. The secure page is displayed to the user.
Preconditions:
The user state is VERIFIED.
The user has successfully logged on to the website of the organization.
The following figure illustrates the general message flow during the transaction
authentication procedure. Challenge questions authentication has been used in this
example. Each step involved in this procedure is described in the sections that follow.
1. Initiate transaction
8. Call Challenge
10. Challenge user for secondary authentication (In this example, challenge questions are used)
5 Enrollment Workflow
Enrollment is the process of registering a new user on the RSA Adaptive
Authentication (On-Premise) system. Enrollment is also referred to as initial data
collection. During enrollment, a user is prompted to enter or choose from the
following enrollment options:
Challenge questions
Contact information, such as phone number or email address for out-of-band
credentials
Other credential information
Preconditions:
The user state is NOTENROLLED or UNVERIFIED.
The user has been chosen for enrollment by the organization.
The user has an account with the website of the organization.
The Risk Engine is enabled.
The Risk Engine has been trained by loading historical data or by using the system
in silent mode for at least two months.
5: Enrollment Workflow 23
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
The following figure illustrates the message flow during the collection procedure for
enrollment. Each step involved in this procedure is described in the section that
follow.
Note: The organization must verify the transaction as non-risky before proceeding
with the collection procedure.
Enrollment workflow
1. The user requests to log on to the website of the organization.
2. The website prompts the user to enter the user name and password.
24 5: Enrollment Workflow
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
3. The data-gathering JavaScript executes as the logon page loads and collects the
device data, like the IP address, browser information, fingerprint,
deviceTokenCookie, and deviceTokenFSO.
4. The user enters the user credentials and clicks the submit button. The device
forensic data is sent along with the user credentials.
5. The organizations web application verifies the user credentials.
6. If the user authentication fails, the application must send a request message to the
notify method and pass the user and device forensic data to the Adaptive
Authentication system for anti-phishing purposes.
The notify request must include the event type, device data, browser information,
and IP address.
7. If the user authentication is successful the organizations web application sends
the analyze request message. The device forensic data is passed along with the
user details.
The analyze request must contain the device data, browser information, IP
address, user name, user type, and event type.
For a sample SOAP message, see Analyze SOAP Request for OOB Email on
page 107.
8. The Risk Engine processes the information in the analyze request and applies
policies.
9. The Adaptive Authentication system sends an analyze response with the
recommended policy action. In this example, the user is allowed to continue the
enrollment process.
For a sample SOAP message, see Analyze SOAP Response for OOB Email on
page 108.
10. The user is directed to the secure page with a link to the Enrollment page.
Optionally, the Enrollment page may be automatically displayed to users who are
not yet enrolled.
11. The user clicks on the enrollment link.
12. The website of the organization sends a createUser request to create a record for
the user.
The createUser request must include the device data, browser information, IP
address, action type, and challenge question action type.
For a sample SOAP message, see Create User SOAP Request for OOB Email
on page 103.
13. The Adaptive Authentication system sends a createUser response with challenge
questions.
For a sample SOAP message, see Create User SOAP Response for OOB Email
on page 104.
14. The form in which to enter the enrollment details is displayed to the user.
The web application allows the user to choose from several different enrollment
options determined by the organization.
5: Enrollment Workflow 25
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
15. The user enters the enrollment details. For example, the user selects the challenge
questions and enters the answers.
16. The user reviews the selections and the information entered and then confirms
enrollment. The enrollment data is submitted to the website of the organization.
17. The website of the organization sends the updateUser request message. The
Adaptive Authentication system updates the user record in the database.
The updateUser request must include the device data, browser information, IP
address, user status, and challenge question action type.
For a sample SOAP message, see Update User SOAP Request for OOB Email
on page 105.
18. The Adaptive Authentication system returns the update confirmation.
For a sample SOAP message, see Update User SOAP Response for OOB Email
on page 106.
19. The main page of the organizations web application is displayed to the user.
Postconditions:
The user state is VERIFIED.
(Optional) The user device is bound if selected by the user.
26 5: Enrollment Workflow
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
Important: Make sure to send as much information as possible using the notify
method.
Preconditions:
The user has successfully logged on to the website of the organization.
The following figure illustrates the message flow during the transaction monitoring
procedure. Each step involved in this procedure is described in the sections that
follow.
1. Initiate transaction
3. The data-gathering JavaScript executes as the page loads and collects the device
forensic data, deviceTokenCookie, and deviceTokenFSO.
4. The user enters the transaction details and clicks the submit button. The device
forensic data is sent along with the transaction details.
5. The website of the organization sends the analyze request message. The device
forensic data is passed along with the user details.
The analyze request must contain the device data, browser information, IP
address, user name, user type, action type, and event type.
For a sample SOAP message, see Analyze SOAP Request for OOB Email on
page 107.
6. The Risk Engine processes the information in the analyze request and applies
policies.
7. The Adaptive Authentication system sends an analyze response with the result.
For a sample SOAP message, see Analyze SOAP Response for OOB Email on
page 108.
8. The transaction success page is displayed to the user regardless of the
recommended policy action.
7 ATM Monitoring
The ATM protection module focuses on monitoring ATM activities. The workflows
for this module track logon and monetary transactions. The workflows are designed to
allow you to observe user logon or transaction activity and calculate a risk score for
each activity while being transparent to the user.
In these workflows, the RSA Adaptive Authentication (On-Premise) system receives
information from the ATM server. Specifically, this server collects ATM activity
information for transfer to the Risk Engine.
ATM activity information is loaded into the Adaptive Authentication system by using
either the on-line SOAP API or the Batch Loader utility. For more information about
the application of the Batch Loader utility in this process, see the Operations Guide.
The Risk Engine analyzes this information, resulting in a risk score and recommended
policy action, which triggers ATM policy rules. A new case is created for each flagged
event if the triggered ATM policy rule is defined for case creation.Transactions
flagged as suspected fraud are sent to the Case Management application where the
transactions can be reviewed by fraud analysts.
Preconditions
The Adaptive Authentication system only transfers the information to the Risk Engine
for ATM processing, if the Analyze request includes the following:
The channel indicator in the SOAP call is ATM.
An ATM payload, such as atmID, is included in the SOAP call.
7: ATM Monitoring 29
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
1. Initiates log on
2. Collects the users credentials
and the card information
3.Transfers collected data to the ATM Server
30 7: ATM Monitoring
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
1. Initiates transaction
2. Collects the users credentials
and the transaction data
3.Transfers collected data to the ATM Server
7: ATM Monitoring 31
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
6. The Adaptive Authentication system passes the information to the Risk Engine for
risk analysis, which results in a risk score.
In parallel to this step, the transaction entered on to the ATM device is allowed:
a. The ATM server responds with transaction success, regardless of the analysis
results.
b. Transaction success is displayed on the ATM device.
7. If the analysis result is suspected fraud, the event is flagged. If the triggered ATM
policy rule is defined for case creation, a new case is created. Flagged transactions
are sent to the Case Management application where the transactions can be
reviewed by fraud analysts.
32 7: ATM Monitoring
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
8 Maintenance Workflow
Maintenance is the process of allowing a user to change enrollment information. This
workflow assumes that the user has successfully enrolled and logged on to the RSA
Adaptive Authentication (On-Premise) system.
Maintenance Workflow
1. Enable maintenance. A user chooses to modify user information.
2. Change or add challenge questions and answers. (Optional) The user wants to
modify the challenge questions and answers. Your application must do the
following:
Retrieve the list of questions to display to the user.
Allow the user to select new questions and provide new answers.
Allow the user to modify the answers to existing questions.
3. Change or add user out-of-band information. (Optional) The user wants to
modify out-of-band information.
Your application should collect the new information and perform data validation if
required. The Adaptive Authentication system allows for the management of
multiple emails and phone numbers of a given user.
4. Change or add other credentials. (Optional) The user adds or changes other
credential information. Your application should collect the new information and
send it to the Adaptive Authentication system.
5. Confirm user selection. The user reviews the selections and confirms enrollment.
After changes are confirmed, the Adaptive Authentication system updates the user
record in the database.
8: Maintenance Workflow 33
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
34 8: Maintenance Workflow
RSA Adaptive Authentication (On-Premise) 7.1 Workflows and Processes Guide
Note: You should be aware of the following time-out configuration issues that are
relevant to all authentication methods:
If the user is assigned to only one authentication method, the application checks
the Administration Console parameter Fraud Notification Before Session
Time-out for that authentication method. If this parameter is True, the Risk
Engine is notified of a session with suspected fraud. In this situation, the Risk
Engine gathers information from the session about user activity until the Adaptive
Authentication application notifies the Risk Engine that the session is not
suspected fraud.
If the parameter Fraud Notification Before Session Time-out is False, the
application waits for the session to expire before notifying the Risk Engine of the
authentication result. In this situation, the authentication result is Failure unless
the session ends in success, prior to session expiration.
The Adaptive Authentication application checks the number of sessions currently
open for the user, before opening a new session for the user.
If the number of open sessions for the user is greater than the value of the
Administration Console parameter Maximum Open Sessions per User, the
session is not opened.
For more information, see the Release Notes.
Credential Types
Credential Type Description
Challenge Questions The user provides answers to a set of questions chosen by the
institution.
Examples: What is your mothers maiden name? and What is the
name of your first pet?
Out-of-Band Phone The user is called on a phone number that the user provided during
enrollment.
The user is prompted to enter a one-time password, which is sent
through an online application on the users phone.
Out-of-Band Email The user is contacted at an email address that the user provided during
enrollment.
The user is prompted to enter a one-time password, which is sent in
the email message.
Out-of-Band SMS The user is sent an SMS on the mobile device that the user registered
during enrollment.
The user is prompted to enter a one-time password, which is sent in
the SMS.
10 Client-Managed Authentication
If your institution supports its own authentication mechanism, the RSA Adaptive
Authentication (On-Premise) system can support your existing workflows and allow
you to use your mechanisms in the ways described in this chapter.
The client-managed authentication supports all available credential types: Challenge
Questions, OOB Phone or Email, and Generic Authentication Plug-In.
Note: You can request to bind a device using the Analyze method. If a challenge is
presented to the end user, whose device is in the process of being bound, the status of
the device is temporary. You cannot change the status of the device to persistent
using the Notify request. You also cannot change the status of the user from
VERIFIED or UNVERIFIED to LOCKOUT. For more information, see the section
about managing user accounts in the Back Office Users Guide. To change the status of
the device or of the user, use the updateUser or Authenticate methods after calling the
Notify method. For more information, see the Web Services API Reference Guide.
Option 1
You can use the Adaptive Authentication system to authenticate a users collected
information but your application maintains and presents the challenge to the user.
For example, your application uses its own challenge questions, and sends the users
collected answer and the users stored answer to the Adaptive Authentication system,
where the users answers are compared. This option allows you to make use of fuzzy
logic comparators when matching answers.
Workflow
For this workflow, the Adaptive Authentication system does not store the users
credential information, for example, answers to the challenge questions. Your
application should have some method for storing and retrieving the users credential
information.
The following workflow assumes that challenge questions are being used.
1. Initiate an activity. The user begins a logon or transaction activity.
2. Recommend an action.
The Adaptive Authentication system determines that the activity is potentially
risky.
The Adaptive Authentication system determines that extra credentials are
required to help further authenticate the user.
The Adaptive Authentication system informs your system of the need for
further authentication.
Note: In this workflow option, the Adaptive Authentication system does not
automatically lock out the users account. Your application needs to inform
the Adaptive Authentication system if a user needs to be locked out because
of too many failed attempts.
Option 2
The user is challenged and authenticated separately from the Adaptive Authentication
system, and the authentication results are sent to the Adaptive Authentication system.
Workflow
For this workflow, the Adaptive Authentication system does not store the users
credential information, for example, answers to challenge questions. Your application
performs all the necessary authentication whenever the Adaptive Authentication
system makes that type of recommendation.
Note: The following flow uses Challenge Questions authentication for demonstration
purposes.
Note: The Adaptive Authentication system does not automatically lock out the user
account. Your application needs to inform the Adaptive Authentication system if a
user needs to be locked out due to too many tries.
If your application does not inform the Adaptive Authentication system of the result of
your authentication, it is as if the challenge is abandoned. The activity is marked as
suspected fraudulent in the Case Management application.
Unlocking a User
1. The customer service representative receives a request to unlock a user account.
2. The customer service representative validates the users identity, if necessary.
3. The customer service representative submits an unlock request to the Adaptive
Authentication system.
4. One of the following occurs:
The user is required to log on and reestablish credential information if the user
forgot the challenge questions.
The user can log back on to your system without any other requirements.
The following figure displays the workflow of unlocking a user account.
4. Select partial reenrollment options. Because the information has been cleared,
the user selects enrollment options:
Select challenge questions. The user sets up challenge questions and
answers.
Add user credential information. The user adds credential information, such
as phone numbers for out-of-band (OOB) authentication.
5. Confirm user selection. The user reviews the selections and confirms enrollment.
After enrollment is confirmed, the Adaptive Authentication system updates the user
record in the database.
Note: You can combine multiple pages into one page for ease of use. Fewer pages
may lead to an increase in completed user enrollments.
The following figure displays the workflow of partially reenrolling a user account.
1. A user attempts to log on to the application and is blocked due to the maximum
number of sessions open for the user.
2. The user calls the customer Service to inquire about the problem with the logon
process.
3. Using the Back Office Customer Service application, the RSA Customer Service
representative terminates all the open sessions for the user by pressing the
Terminate Authentication Sessions button in the User Details window.
The application updates the change history for the user with the Reset Session flag
(S) along with the date and time the user sessions were terminated.
4. If the Administration Console parameter Open Case for Events on Session
Termination is set to True, for each terminated authentication session, the Session
Reaper submits an event, for which the Event Puller opens a case in the Case
Management application.
5. A new session is opened for the user.
Preconditions
The user state is VERIFIED.
The user is successfully enrolled for OOB email with the Adaptive Authentication
system.
The following figure shows the general message flow during the OOB email
authentication. Each step involved in this procedure is described in the sections that
follow.
6. Calculate the
risk score and
7. Respond with the recommended action apply policies
and available challenge methods
(In this example, high risk score is generated and the user is challenged using OOB Email )
9. Generate
One Time
Password
10. Email the generated One Time Password to the user
5. The website of the organization sends the analyze request message. The device
forensic data is passed along with the user details.
The analyze request must include the device data, browser information, IP
address, user name, event type, and transaction data.
For a sample SOAP message, see Analyze SOAP Request for OOB Email on
page 107.
6. The Risk Engine processes the information in the analyze request and applies
policies.
7. The Adaptive Authentication system sends an analyze response message with the
recommended policy action and the list of available challenge methods. The list of
challenge methods consist of the methods that the user selected during enrollment.
The organization can select one of the challenge methods available for secondary
authentication. In this example, out-of-band (OOB) email is used.
For a sample SOAP message, see Analyze SOAP Response for OOB Email on
page 108.
8. The website sends the challenge request message to retrieve information for
secondary authentication. In this example, secondary authentication is done by
OOB email.
The challenge request must include the device data, browser information, IP
address, sessionId, transactionId, and OOB email challenge data.
For a sample SOAP message, see Challenge SOAP Request for OOB Email on
page 109.
9. The Adaptive Authentication system generates a one-time password for the given
activity and sends the challenge response.
For a sample SOAP message, see Challenge SOAP Response for OOB Email
on page 110.
10. The Adaptive Authentication system creates an email with the one-time password
and sends the email to the user.
11. The website of the organization prompts the user for secondary authentication.
12. User enters the answer and clicks the submit button.
The website must retrieve and send the device forensic data to the Adaptive
Authentication system.
13. The website of the organization sends the authenticate request message. The
device forensic data is passed along with the users answers.
The authenticate request must include the device data, browser information, IP
address, sessionId, transactionId, and OOB email data.
For a sample SOAP message, see Authenticate SOAP Request for OOB Email
on page 111.
14. The Adaptive Authentication system validates the data entered by the user against
the generated one-time password. The Adaptive Authentication system also
validates if the one-time password has expired or is reused.
15. The Adaptive Authentication system sends an authenticate response message with
the authentication status.
For a sample SOAP message, see Authenticate SOAP Response for OOB Email
(Success) on page 113.
16. The secure page is displayed to the user.
The following figure shows the general message flow during the out-of-band (OOB)
Phone authentication. This workflow assumes that the end user is successfully
enrolled for OOB Phone with RSA Adaptive Authentication (On-Premise) and that
the end user status is verified.
5HTXHVWORJRQRULQLWLDWHWUDQVDFWLRQ
'LVSOD\ORJRQRUWUDQVDFWLRQIRUP
*DWKHUGHYLFHGDWD
6XEPLWIRUPGHWDLOVDQGGHYLFHGDWD
9HULI\HQGXVHU
FUHGHQWLDOV
6HQGDQDO\]HUHTXHVWPHVVDJH
&DOFXODWHWKH
ULVNVFRUHDQG
DSSO\SROLF\
6HQGDQDO\]HUHVSRQVHPHVVDJH
6HQGFKDOOHQJHUHTXHVWPHVVDJH
*HQHUDWH
RQHWLPH
SDVVZRUG
6HQGFKDOOHQJHUHVSRQVHPHVVDJH
&KDOOHQJHHQGXVHUIRU
VHFRQGDU\DXWKHQWLFDWLRQ
6HQGRQHWLPHSDVVZRUGWRHQGXVHUWKURXJKSKRQH
6XEPLWWKHDQVZHUV
6HQGTXHU\$XWK6WDWXVUHTXHVWPHVVDJH
9DOLGDWH
RQHWLPH
SDVVZRUG
6HQGTXHU\$XWK6WDWXVUHVSRQVHPHVVDJH
'LVSOD\WKHPDLQSDJH
4. The end user enters the logon or transaction details and clicks the submit button.
The device forensic data is sent along with the transaction details.
5. The online system verifies the end-user credentials.
6. The online system sends an analyze request message. The device forensic data is
passed along with the end-user details.
The analyze request must include the device data, user name, event type, and
transaction data.
7. The RSA Risk Engine processes the information in the analyze request and
calculates a risk score, and Adaptive Authentication applies the relevant policy.
8. Adaptive Authentication sends an analyze response message with the
recommended policy action and the list of available challenge methods. The list of
challenge methods consists of the methods that the end user selected during
enrollment. The organization can select one of the challenge methods available for
step-up authentication. In this example, out-of-band (OOB) phone is used.
9. The online system sends a challenge request message to retrieve information for
step-up authentication.
The challenge request must include the device data, sessionId, transactionId, and
OOB phone challenge data.
10. Adaptive Authentication generates a one-time password (OTP) for the given
activity and sends the challenge response.
11. Adaptive Authentication sends an analyze response message with the
recommended policy action and the options for step-up authentication. For more
information about policies and authentication methods, see the Back Office Users
Guide.
12. Your online system prompts the end user for step-up authentication.
13. The OOB phone service calls the end user on the phone number collected during
enrollment. The phone service provides the end user with the one-time password.
14. The end user answers the phone and enters the OTP correctly within the
configurable time-out window measured from when the request message was sent
to the challenge method.
If the time-out window expires, the user is denied access and must try again. Your
system should allow for the end user to request another out-of-band message if the
end user does not receive the call.
15. Your online system sends a queryAuthStatus request message to Adaptive
Authentication with the OTP that the end user entered. Your online system must
send this request message within the time-out window. You need to continue
querying Adaptive Authentication until you receive a Success or Fail
queryAuthStatusResponse message.
16. Adaptive Authentication validates the one-time password that the end user entered
against the generated one-time password. Adaptive Authentication also checks
whether the one-time password has expired or is reused.
Adaptive Authentication sends a poll request for status to the Authentication
Plug-In service provider and receives a general status code from Authentication
Plug-In. Adaptive Authentication translates the general status codes received from
the Service Provider into channel status codes.
17. Adaptive Authentication returns a queryAuthStatus response message with the
result.
18. Your online system displays the secure page to the end user.
Preconditions
The user state is VERIFIED.
The user is successfully enrolled for KBA with the Adaptive Authentication
system.
This following image illustrates the general message flow during the KBA
authentication.
KBA System
User Browser Organizations Web Site Adaptive Authentication
Preconditions
The user state is VERIFIED.
The user is successfully enrolled for OOB SMS with the Adaptive Authentication
system.
The following figure shows the general message flow during the OOB SMS
authentication. Each step involved in this procedure is described in the sections that
follow.
6. Calculate the
risk score and
7. Respond with the recommended action apply policies
and available challenge methods
(In this example, high risk score is generated and the user is challenged using OOB SMS )
9. Generate
One Time
Password
10. Send the generated One Time Password to the user through SMS
5. The website of the organization sends the analyze request message. The device
forensic data is passed along with the user details. The analyze request must
include the device data, browser information, IP address, user name, event type,
and transaction data.
For a sample SOAP message, see Analyze SOAP Request for OOB SMS on
page 129.
6. The information in the analyze request is processed by the Risk Engine.
7. The Adaptive Authentication system sends an analyze response message with the
recommended policy action and the list of available challenge methods. The list of
challenge methods consists of the methods that the user selected during
enrollment. The organization can select one of the challenge methods available for
secondary authentication. In this example, out-of-band (OOB) SMS is used.
For a sample SOAP message, see Analyze SOAP Response for OOB SMS on
page 130.
8. The website sends the challenge request message to retrieve information for
secondary authentication. In this example, secondary authentication is done by
OOB SMS.
The challenge request must include the device data, browser information, IP
address, sessionId, transactionId, and OOB SMS challenge data.
If you send an OOB SMS challenge request without specifying a valid contact
number, Adaptive Authentication will process the request according to the
following guidelines:
a. Retrieve the contact information by label (home, office, cellular phone, etc.).
b. Retrieve the default contact information.
c. If there is no contact information by label and no default contact information,
Adaptive Authentication will use the first contact available in the list.
Note: A valid contact number consists of phone number, area code, and country
code.
For a sample SOAP message, see Challenge SOAP Request for OOB SMS on
page 131.
9. The Adaptive Authentication system generates a one-time password for the given
activity and sends the challenge response.
For a sample SOAP message, see Challenge SOAP Response for OOB SMS on
page 132.
10. The Adaptive Authentication system creates an SMS message with the one-time
password and sends the message to the external provider, which in turn passes the
message on to the user.
11. The website of the organization prompts the user for secondary authentication.
12. User enters the answer and clicks the submit button.
The website must retrieve the device forensic data.
13. The website of the organization sends the authenticate request message. The
device forensic data is passed along with the users answers.
The authenticate request must include the device data, browser information, IP
address, sessionId, transactionId, and OOB SMS data.
For a sample SOAP message, see Authenticate SOAP Request for OOB SMS
on page 133.
14. The Adaptive Authentication system validates the data entered by the user against
the generated one-time password. The Adaptive Authentication system also
validates if the one-time password has expired or is reused.
15. The Adaptive Authentication system sends an authenticate response message with
the authentication status.
For a sample SOAP message, see Authenticate SOAP Response for OOB SMS
(Successful) on page 135.
16. The secure page is displayed to the user.
Preconditions
The user state is VERIFIED.
The user is successfully enrolled for one-time password with the RSA Adaptive
Authentication (On-Premise) system.
This following figure describes the general message flow during the One-Time
Password authentication.
6. Calculate the
risk score and
apply policies
7. Respond with the recommended
action and available challenge methods
(In this example high risk score is generated
and the user is challenged using OTP)
11. Present one-time password to user. (The organization can save the password
and present it to the user through a
medium of their choice. Sending the
password to a user browser is just one use
case.)
12. Submit the answers
4. The user enters the logon or transaction details and clicks the submit button.
The device forensic data is sent along with the transaction details.
5. The website of the organization sends the analyze request message. The device
forensic data is passed along with the user details.
The analyze request must include the device data, browser information, IP
address, user name, event type, and transaction data.
For a sample SOAP message, see Analyze SOAP Request for OTP on page 138.
6. The information in the analyze request is processed by the Risk Engine.
7. The Adaptive Authentication system sends an analyze response message with the
recommended policy action and the list of available challenge methods. The list of
challenge methods consists of the methods that the user selected during
enrollment. The organization can select one of the challenge methods available for
secondary authentication. In this example, one-time password is used.
For a sample SOAP message, see Analyze SOAP Response for OTP on
page 139.
8. The website of the organization sends a challenge request message to the Adaptive
Authentication system.
For a sample SOAP message, see Challenge SOAP Request for OTP on
page 140.
9. The Adaptive Authentication system generates a one-time password.
Challenge SOAP Response for OTP on page 141
10. The Adaptive Authentication system sends the one-time password to the
organization.
11. The organization sends one-time password to the user.
The password may be delivered by phone, SMS, or email, or through some other
mechanism.
12. The user submits the one-time password.
13. The website sends the one-time password chosen by the user to the Adaptive
Authentication system as part of the authenticate request.
For a sample SOAP message, see Authenticate SOAP Request for OTP on
page 142.
14. The Adaptive Authentication system verifies that the token sent matches the token
produced in the challenge flow.
15. The Adaptive Authentication system sends an authenticate response message with
the authentication status.
Authenticate SOAP Response for OTP (Successful) on page 144
16. The secure page is displayed to the user.
Preconditions:
The user state is VERIFIED.
The user has an account with the website of the organization. The user is enrolled
and is verified.
The following figure shows the general message flow of a failed authentication.
Challenge questions is used as authentication method in this example. Each step
involved in this procedure is described in the sections that follow.
9. Call Challenge
For sample SOAP message, see Analyze SOAP Response for Secret Questions on
page 148.
9. Send the challenge request message to retrieve information for secondary
authentication. In this example secondary authentication is done by challenge
questions.
The challenge request must include the device data, browser information, IP
address, sessionId, transactionId, and challenge details.
For sample SOAP message, see Challenge SOAP Request for Secret Questions on
page 149.
10. Adaptive Authentication sends a challenge response with the questions.
For sample SOAP message, see Challenge SOAP Response for Secret Questions
on page 150.
11. The organizations web application prompts the user for secondary authentication.
12. User enters incorrect answers and clicks the submit button.
Ensure to retrieve and send the device forensic data to Adaptive Authentication
system.
13. The organizations web application sends the authenticate request message. The
device forensic data is passed along with the users answers.
The authenticate request must include the device data, browser information, IP
address, sessionId, transactionId, and answer to the challenge.
For sample SOAP message, see Authenticate SOAP Request for Secret Questions
on page 151.
14. User fails authentication and the failure count increases by one.
15. Adaptive Authentication sends an authenticate response message with the
authentication status. The user fails authentication.
For sample SOAP message, see Authenticate SOAP Response for Secret
Questions (Failed) on page 152.
16. The organizations web application prompts the user for secondary authentication.
17. User enters incorrect answers and clicks the submit button.
Ensure to retrieve and send the device forensic data to Adaptive Authentication
system.
18. The organizations web application sends the authenticate request message. The
device forensic data is passed along with the users answers.
The authenticate request must include the device data, browser information, IP
address, sessionId, transactionId, and answer to the challenge.
For sample SOAP message, see Authenticate SOAP Request for Secret Questions
on page 151.
19. User fails authentication and the failure count increases by one.
20. Adaptive Authentication sends an authenticate response message with the
authentication status. The user fails authentication.
For sample SOAP message, see Authenticate SOAP Response for Secret
Questions (Failed) on page 152.
If the Maximum User Failure Count is reached, the user is locked out. If not, the
user is challenged again.
21. User cannot proceed with logon or transaction.
<ns1:actionCode>ALLOW</ns1:actionCode>
<ns1:actionName>FALLBACK RULE</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>FALLBACK RULE</ns1:ruleId>
<ns1:ruleName>FALLBACK RULE</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:createUserReturn>
</ns1:createUserResponse>
</soapenv:Body>
</soapenv:Envelope>
<ns1:actionName>FALLBACK RULE</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>FALLBACK RULE</ns1:ruleId>
<ns1:ruleName>FALLBACK RULE</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:updateUserReturn>
</ns1:updateUserResponse>
</soapenv:Body>
</soapenv:Envelope>
<ns1:triggeredRule>
<ns1:actionCode>ALLOW</ns1:actionCode>
<ns1:actionName>FALLBACK RULE</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>FALLBACK RULE</ns1:ruleId>
<ns1:ruleName>FALLBACK RULE</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:createUserReturn>
</ns1:createUserResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ws:analyze xmlns:ws="http://ws.csd.rsa.com">
<ws:request>
<ws:identificationData>
<ws:userName>user</ws:userName>
<ws:userStatus>VERIFIED</ws:userStatus>
<ws:userType>PERSISTENT</ws:userType>
</ws:identificationData>
<ws:messageHeader>
<ws:apiType>DIRECT_SOAP_API</ws:apiType>
<ws:requestType>ANALYZE</ws:requestType>
<ws:version>7.0</ws:version>
</ws:messageHeader>
<ws:securityHeader>
<ws:callerCredential>password</ws:callerCredential>
<ws:callerId>callerId</ws:callerId>
<ws:method>PASSWORD</ws:method>
</ws:securityHeader>
<ws:autoCreateUserFlag>false</ws:autoCreateUserFlag>
<ws:eventDataList>
<ws:eventData>
<ws:eventType>SESSION_SIGNIN</ws:eventType>
</ws:eventData>
</ws:eventDataList>
<ws:runRiskType>ALL</ws:runRiskType>
</ws:request>
</ws:analyze>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:analyzeResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:analyzeReturn xsi:type="ns1:AnalyzeResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:sessionId>4bccc90a:1396541c967:-669b</ns1:sessionId>
<ns1:transactionId>a966-:769c1456931:a09cccb4_TRX
</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>ANALYZE</ns1:requestType>
<ns1:timeStamp>2012-08-27T07:52:32.519Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:requiredCredentialList>
<ns1:requiredCredential>
<ns1:credentialType>USER_DEFINED</ns1:credentialType>
<ns1:genericCredentialType>KBA</ns1:genericCredentialType>
<ns1:groupName>DEFAULT</ns1:groupName>
<ns1:preference>0</ns1:preference>
<ns1:required>true</ns1:required>
</ns1:requiredCredential>
</ns1:requiredCredentialList>
<ns1:riskResult>
<ns1:riskScore>2</ns1:riskScore>
<ns1:riskScoreBand>SCORE_BAND_0</ns1:riskScoreBand>
<ns1:triggeredRule>
<ns1:actionCode>CHALLENGE</ns1:actionCode>
<ns1:actionName>AuthDevNotBound</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>AuthDevNotBound</ns1:ruleId>
<ns1:ruleName>AuthDevNotBound</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:analyzeReturn>
</ns1:analyzeResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:authenticateResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:authenticateReturn xsi:type="ns1:AuthenticateResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:sessionId>4bccc90a:1396541c967:-6671</ns1:sessionId>
<ns1:transactionId>0766-:769c1456931:a09cccb4_TRX</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>AUTHENTICATE</ns1:requestType>
<ns1:timeStamp>2012-08-27T08:07:37.353Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:credentialAuthResultList xsi:type="ns1:CredentialAuthResultList">
<ns1:acspAuthenticationResponseData>
<ns1:acspAccountId>user</ns1:acspAccountId>
<ns1:callStatus>
<ns1:statusCode>FAIL</ns1:statusCode>
<ns1:statusDescription>Failed: iAuth Questions; Frequency
violation information:</ns1:statusDescription>
</ns1:callStatus>
<ns1:payload xsi:type="ns2:KBAAuthenticationResponse"
xmlns:ns2="http://ws.kba.csd.rsa.com"/>
</ns1:acspAuthenticationResponseData>
</ns1:credentialAuthResultList>
<ns1:requiredCredentialList>
<ns1:requiredCredential>
<ns1:credentialType>USER_DEFINED</ns1:credentialType>
<ns1:genericCredentialType>KBA</ns1:genericCredentialType>
<ns1:groupName>DEFAULT</ns1:groupName>
<ns1:preference>0</ns1:preference>
<ns1:required>true</ns1:required>
</ns1:requiredCredential>
</ns1:requiredCredentialList>
</ns1:authenticateReturn>
</ns1:authenticateResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:authenticateResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:authenticateReturn xsi:type="ns1:AuthenticateResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:sessionId>4bccc90a:1396541c967:-666b</ns1:sessionId>
<ns1:transactionId>a666-:769c1456931:a09cccb4_TRX
</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>AUTHENTICATE</ns1:requestType>
<ns1:timeStamp>2012-08-27T08:08:18.183Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:credentialAuthResultListxsi:type="ns1:CredentialAuthResultList">
<ns1:acspAuthenticationResponseData>
<ns1:acspAccountId>user</ns1:acspAccountId>
<ns1:callStatus>
<ns1:statusCode>PENDING</ns1:statusCode>
<ns1:statusDescription>Additional questions and answers
have been retrieved successfully
from KBA</ns1:statusDescription>
</ns1:callStatus>
<ns1:payload xsi:type="ns2:KBAAuthenticationResponse"
xmlns:ns2="http://ws.kba.csd.rsa.com">
<ns2:questions>
<ns2:questionId>8022125309625</ns2:questionId>
<ns2:text>In which of the following districts or
locations have you ever lived?</ns2:text>
<ns2:choices>
<ns2:choiceId>8026838496250</ns2:choiceId>
<ns2:text>Colden Common</ns2:text>
</ns2:choices>
<ns2:choices>
<ns2:choiceId>8026838496251</ns2:choiceId>
<ns2:text>Coleford</ns2:text>
</ns2:choices>
<ns2:choices>
<ns2:choiceId>8026838496252</ns2:choiceId>
<ns2:text>Finsbury Park</ns2:text>
</ns2:choices>
<ns2:choices>
<ns2:choiceId>8026838496253</ns2:choiceId>
<ns2:text>Lochee</ns2:text>
</ns2:choices>
<ns2:choices>
<ns2:choiceId>8026838496254</ns2:choiceId>
<ns2:text>Pill</ns2:text>
</ns2:choices>
<ns2:choices>
<ns2:choiceId>8026838496255</ns2:choiceId>
<ns2:text>I have never lived or owned property
in any of these districts</ns2:text>
</ns2:choices>
</ns2:questions>
</ns1:payload>
</ns1:acspAuthenticationResponseData>
</ns1:credentialAuthResultList>
<ns1:requiredCredentialList>
<ns1:requiredCredential>
<ns1:credentialType>USER_DEFINED</ns1:credentialType>
<ns1:genericCredentialType>KBA</ns1:genericCredentialType>
<ns1:groupName>DEFAULT</ns1:groupName>
<ns1:preference>0</ns1:preference>
<ns1:required>true</ns1:required>
</ns1:requiredCredential>
</ns1:requiredCredentialList>
</ns1:authenticateReturn>
</ns1:authenticateResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:authenticateResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:authenticateReturn xsi:type="ns1:AuthenticateResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:transactionId>a966-:769c1456931:a09cccb4_TRX
</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>AUTHENTICATE</ns1:requestType>
<ns1:timeStamp>2012-08-27T07:52:50.522Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:credentialAuthResultListxsi:type=
"ns1:CredentialAuthResultList">
<ns1:acspAuthenticationResponseData>
<ns1:acspAccountId>user</ns1:acspAccountId>
<ns1:callStatus>
<ns1:statusCode>SUCCESS</ns1:statusCode>
<ns1:statusDescription>Answers match in
KBA</ns1:statusDescription>
</ns1:callStatus>
<ns1:payload
xsi:type="ns2:KBAAuthenticationResponse"
xmlns:ns2="http://ws.kba.csd.rsa.com"/>
</ns1:acspAuthenticationResponseData>
</ns1:credentialAuthResultList>
</ns1:authenticateReturn>
</ns1:authenticateResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws="http://ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<ws:analyze>
<ws:request>
<ws:deviceRequest>
<ws:ipAddress>30.30.30.30</ws:ipAddress>
</ws:deviceRequest>
<ws:identificationData>
<ws:userName>user10</ws:userName>
<ws:userStatus>VERIFIED</ws:userStatus>
<ws:userType>PERSISTENT</ws:userType>
</ws:identificationData>
<ws:messageHeader>
<ws:apiType>DIRECT_SOAP_API</ws:apiType>
<ws:requestType>ANALYZE</ws:requestType>
<ws:version>7.0</ws:version>
</ws:messageHeader>
<ws:securityHeader>
<ws:callerCredential>password</ws:callerCredential>
<ws:callerId>callerId</ws:callerId>
<ws:method>PASSWORD</ws:method>
</ws:securityHeader>
<ws:autoCreateUserFlag>false</ws:autoCreateUserFlag>
<ws:eventDataList>
<ws:eventData>
<ws:eventType>PAYMENT</ws:eventType>
<ws:transactionData>
<ws:amount>
<ws:amount>1000000</ws:amount>
<ws:amountInUSD>1000000</ws:amountInUSD>
<ws:currency>USD</ws:currency>
</ws:amount>
<ws:executionSpeed>REAL_TIME</ws:executionSpeed>
<ws:otherAccountBankType>OTHER_BANK</ws:otherAccountBankType>
<ws:otherAccountData>
<ws:accountName>otherAccountName</ws:accountName>
<ws:accountNumber>123456789</ws:accountNumber>
</ws:otherAccountData>
<ws:otherAccountOwnershipType>ME_TO_YOU
</ws:otherAccountOwnershipType>
<ws:otherAccountType>PERSONAL_ACCOUNT</ws:otherAccountType>
</ws:transactionData>
</ws:eventData>
</ws:eventDataList>
<ws:runRiskType>ALL</ws:runRiskType>
<ws:channelIndicator>WEB</ws:channelIndicator>
</ws:request>
</ws:analyze>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:analyzeResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:analyzeReturn xsi:type="ns1:AnalyzeResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:deviceResult>
<ns1:authenticationResult>
<ns1:authStatusCode>FAIL</ns1:authStatusCode>
<ns1:risk>0</ns1:risk>
</ns1:authenticationResult>
<ns1:callStatus>
<ns1:statusCode>SUCCESS</ns1:statusCode>
<ns1:statusDescription/>
</ns1:callStatus>
<ns1:deviceData>
<ns1:bindingType>NONE</ns1:bindingType>
<ns1:deviceTokenCookie>PMV602EbovpQBP4%2FXLTti6rJNqjrcXjQOFhN
%2B4okMH7zrAZ6i1ewPbOmeqXWhMMT%2BGCZMS
</ns1:deviceTokenCookie>
<ns1:deviceTokenFSO>PMV602EbovpQBP4%2FXLTti6rJNqjrcXjQOFhN%
2B4okMH7zrAZ6i1ewPbOmeqXWhMMT%2BGCZMS</ns1:deviceTokenFSO>
</ns1:deviceData>
</ns1:deviceResult>
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:groupName/>
<ns1:sessionId>-59685e99:13942fcc431:-7ff6</ns1:sessionId>
<ns1:transactionId>5ff7-:134ccf24931:99e58695-_TRX</ns1:transactionId>
<ns1:userName>user10</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>ANALYZE</ns1:requestType>
<ns1:timeStamp>2012-08-20T07:55:37.971Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:requiredCredentialList>
<ns1:requiredCredential>
<ns1:credentialType>OOBEMAIL</ns1:credentialType>
<ns1:groupName>DEFAULT</ns1:groupName>
<ns1:preference>0</ns1:preference>
<ns1:required>true</ns1:required>
</ns1:requiredCredential>
</ns1:requiredCredentialList>
<ns1:riskResult>
<ns1:riskScore>1000</ns1:riskScore>
<ns1:riskScoreBand>SCORE_BAND_4</ns1:riskScoreBand>
<ns1:triggeredRule>
<ns1:actionCode>CHALLENGE</ns1:actionCode>
<ns1:actionName>IPOnWatchList</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>IPOnWatchList</ns1:ruleId>
<ns1:ruleName>IPOnWatchList</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:analyzeReturn>
</ns1:analyzeResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws="http://ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<ws:analyze>
<ws:request>
<ws:deviceRequest>
<ws:ipAddress>10.10.10.0</ws:ipAddress>
</ws:deviceRequest>
<ws:identificationData>
<ws:delegated>true</ws:delegated>
<ws:orgName>org</ws:orgName>
<ws:userName>user</ws:userName>
<ws:userStatus>VERIFIED</ws:userStatus>
<ws:userType>PERSISTENT</ws:userType>
</ws:identificationData>
<ws:messageHeader>
<ws:apiType>DIRECT_SOAP_API</ws:apiType>
<ws:requestType>ANALYZE</ws:requestType>
<ws:version>7.0</ws:version>
</ws:messageHeader>
<ws:securityHeader>
<ws:callerCredential>password</ws:callerCredential>
<ws:callerId>callerId</ws:callerId>
<ws:method>PASSWORD</ws:method>
</ws:securityHeader>
<ws:autoCreateUserFlag>false</ws:autoCreateUserFlag>
<ws:eventDataList>
<ws:eventData>
<ws:eventType>ADD_PAYEE</ws:eventType>
<ws:transactionData>
<ws:otherAccountBankType>SAME_BANK</ws:otherAccountBankType>
<ws:otherAccountData>
<ws:accountNumber>123456</ws:accountNumber>
<ws:accountOwnershipType>BUSINESS</ws:accountOwnershipType>
</ws:otherAccountData>
<ws:otherAccountOwnershipType>ME_TO_YOU
</ws:otherAccountOwnershipType>
<ws:otherAccountType>BILLER</ws:otherAccountType>
</ws:transactionData>
</ws:eventData>
</ws:eventDataList>
<ws:runRiskType>ALL</ws:runRiskType>
<ws:channelIndicator>WEB</ws:channelIndicator>
</ws:request>
</ws:analyze>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:analyzeResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:analyzeReturn xsi:type="ns1:AnalyzeResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:deviceResult>
<ns1:authenticationResult>
<ns1:authStatusCode>FAIL</ns1:authStatusCode>
<ns1:risk>0</ns1:risk>
</ns1:authenticationResult>
<ns1:callStatus>
<ns1:statusCode>SUCCESS</ns1:statusCode>
<ns1:statusDescription/>
</ns1:callStatus>
<ns1:deviceData>
<ns1:bindingType>NONE</ns1:bindingType>
<ns1:deviceTokenCookie>PMV600EZq5vSB%2BJFjaGcTNuwlhcQw%2FXKKgmZtT
G1bMZ1AGuEOFJKThgc3cD%2FEYBZJhNQ9g</ns1:deviceTokenCookie>
<ns1:deviceTokenFSO>PMV600EZq5vSB%2BJFjaGcTNuwlhcQw%2FXKKgmZtTG
1bMZ1AGuEOFJKThgc3cD%2FEYBZJhNQ9g</ns1:deviceTokenFSO>
</ns1:deviceData>
</ns1:deviceResult>
<ns1:identificationData>
<ns1:delegated>true</ns1:delegated>
<ns1:groupName/>
<ns1:orgName>org</ns1:orgName>
<ns1:sessionId>-7b3a725d:1394d80a375:-7ffe</ns1:sessionId>
<ns1:transactionId>dff7-:573a08d4931:d527a3b7-_TRX</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>ANALYZE</ns1:requestType>
<ns1:timeStamp>2012-08-22T08:44:36.885Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:requiredCredentialList>
<ns1:requiredCredential>
<ns1:credentialType>OOBPHONE</ns1:credentialType>
<ns1:groupName>DEFAULT</ns1:groupName>
<ns1:preference>0</ns1:preference>
<ns1:required>true</ns1:required>
</ns1:requiredCredential>
</ns1:requiredCredentialList>
<ns1:riskResult>
<ns1:riskScore>10</ns1:riskScore>
<ns1:riskScoreBand>SCORE_BAND_0</ns1:riskScoreBand>
<ns1:triggeredRule>
<ns1:actionCode>CHALLENGE</ns1:actionCode>
<ns1:actionName>CountryOnWatchList</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>CountryOnWatchList</ns1:ruleId>
<ns1:ruleName>CountryOnWatchList</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:analyzeReturn>
</ns1:analyzeResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws="http://ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<ws:analyze>
<ws:request>
<ws:deviceRequest>
<ws:ipAddress>10.10.10.0</ws:ipAddress>
</ws:deviceRequest>
<ws:identificationData>
<ws:groupName>group</ws:groupName>
<ws:orgName>org</ws:orgName>
<ws:userName>user</ws:userName>
<ws:userStatus>VERIFIED</ws:userStatus>
<ws:userType>PERSISTENT</ws:userType>
</ws:identificationData>
<ws:messageHeader>
<ws:apiType>DIRECT_SOAP_API</ws:apiType>
<ws:requestType>ANALYZE</ws:requestType>
<ws:version>7.0</ws:version>
</ws:messageHeader>
<ws:securityHeader>
<ws:callerCredential>password</ws:callerCredential>
<ws:callerId>callerId</ws:callerId>
<ws:method>PASSWORD</ws:method>
</ws:securityHeader>
<ws:autoCreateUserFlag>false</ws:autoCreateUserFlag>
<ws:eventDataList>
<ws:eventData>
<ws:eventType>ACTIVATE_CARD</ws:eventType>
</ws:eventData>
</ws:eventDataList>
<ws:runRiskType>ALL</ws:runRiskType>
<ws:channelIndicator>WEB</ws:channelIndicator>
</ws:request>
</ws:analyze>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:analyzeResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:analyzeReturn xsi:type="ns1:AnalyzeResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:deviceResult>
<ns1:authenticationResult>
<ns1:authStatusCode>FAIL</ns1:authStatusCode>
<ns1:risk>0</ns1:risk>
</ns1:authenticationResult>
<ns1:callStatus>
<ns1:statusCode>SUCCESS</ns1:statusCode>
<ns1:statusDescription/>
</ns1:callStatus>
<ns1:deviceData>
<ns1:bindingType>NONE</ns1:bindingType>
<ns1:deviceTokenCookie>PMV600257TFD4qBojEz4ROsjx%2F%2BwfwN9iErI
Ye5bLsuYRFLTU3Ot9Ff7%2FTeu7XTfi%2FEmNi</ns1:deviceTokenCookie>
<ns1:deviceTokenFSO>PMV600257TFD4qBojEz4ROsjx%2F%2BwfwN9iErIYe5bLs
uYRFLTU3Ot9Ff7%2FTeu7XTfi%2FEmNi</ns1:deviceTokenFSO>
</ns1:deviceData>
</ns1:deviceResult>
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:groupName/>
<ns1:orgName>org</ns1:orgName>
<ns1:sessionId>4ff806f:1394f372a0e:-7ff6</ns1:sessionId>
<ns1:transactionId>5ff7-:e0a273f4931:f608ff4_TRX</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>ANALYZE</ns1:requestType>
<ns1:timeStamp>2012-08-22T16:48:11.41Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:requiredCredentialList>
<ns1:requiredCredential>
<ns1:credentialType>USER_DEFINED</ns1:credentialType>
<ns1:genericCredentialType>OOBSMS</ns1:genericCredentialType>
<ns1:groupName>DEFAULT</ns1:groupName>
<ns1:preference>0</ns1:preference>
<ns1:required>true</ns1:required>
</ns1:requiredCredential>
</ns1:requiredCredentialList>
<ns1:riskResult>
<ns1:riskScore>968</ns1:riskScore>
<ns1:riskScoreBand>SCORE_BAND_4</ns1:riskScoreBand>
<ns1:triggeredRule>
<ns1:actionCode>CHALLENGE</ns1:actionCode>
<ns1:actionName>CountryOnWatchList</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>CountryOnWatchList</ns1:ruleId>
<ns1:ruleName>CountryOnWatchList</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:analyzeReturn>
</ns1:analyzeResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws="http://ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<ws:analyze>
<ws:request>
<ws:identificationData>
<ws:userName>user</ws:userName>
<ws:userStatus>VERIFIED</ws:userStatus>
<ws:userType>PERSISTENT</ws:userType>
</ws:identificationData>
<ws:messageHeader>
<ws:apiType>DIRECT_SOAP_API</ws:apiType>
<ws:requestType>ANALYZE</ws:requestType>
<ws:version>7.0</ws:version>
</ws:messageHeader>
<ws:securityHeader>
<ws:callerCredential>password</ws:callerCredential>
<ws:callerId>callerId</ws:callerId>
<ws:method>PASSWORD</ws:method>
</ws:securityHeader>
<ws:autoCreateUserFlag>false</ws:autoCreateUserFlag>
<ws:eventDataList>
<ws:eventData>
<ws:eventType>REQUEST_CREDIT</ws:eventType>
<ws:transactionData>
<ws:myAccountData>
<ws:accountName>accountName</ws:accountName>
<ws:accountNumber>123456</ws:accountNumber>
<ws:internationalAccountNumber>123456
</ws:internationalAccountNumber>
<ws:accountOwnershipType>INDIVIDUAL
</ws:accountOwnershipType>
</ws:myAccountData>
</ws:transactionData>
</ws:eventData>
</ws:eventDataList>
<ws:runRiskType>ALL</ws:runRiskType>
<ws:channelIndicator>WEB</ws:channelIndicator>
</ws:request>
</ws:analyze>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:analyzeResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:analyzeReturn xsi:type="ns1:AnalyzeResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:groupName/>
<ns1:sessionId>7e4df63d:1394eb0d8f3:-7fd8</ns1:sessionId>
<ns1:transactionId>7df7-:3f8d0be4931:d36fd4e7_TRX
</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>ANALYZE</ns1:requestType>
<ns1:timeStamp>2012-08-22T15:24:24.928Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:requiredCredentialList>
<ns1:requiredCredential>
<ns1:credentialType>USER_DEFINED</ns1:credentialType>
<ns1:genericCredentialType>OTP</ns1:genericCredentialType>
<ns1:groupName>DEFAULT</ns1:groupName>
<ns1:preference>0</ns1:preference>
<ns1:required>true</ns1:required>
</ns1:requiredCredential>
</ns1:requiredCredentialList>
<ns1:riskResult>
<ns1:riskScore>5</ns1:riskScore>
<ns1:riskScoreBand>SCORE_BAND_0</ns1:riskScoreBand>
<ns1:triggeredRule>
<ns1:actionCode>CHALLENGE</ns1:actionCode>
<ns1:actionName>HighEfnScore</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>HighEfnScore</ns1:ruleId>
<ns1:ruleName>HighEfnScore</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:analyzeReturn>
</ns1:analyzeResponse>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws="http://ws.csd.rsa.com">
<soapenv:Header/>
<soapenv:Body>
<ws:analyze>
<ws:request>
<ws:deviceRequest>
<ws:devicePrint><![CDATA[version=&pm_fpua=mozilla/4.0
(compatible; msie 6.0; windows nt 5.1; sv1; .net clr 1.1.4322;
infopath.1)|4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; InfoPath.1)|Win32|;SP2;|x86|en-us| 8831&
pm_fpsc=32|1280|1024|996&pm_fpsw=abk=6,0,2600,0|
wnt=6,0,2900,2180|dht=5,5000,3130,0|dhj=6,0,1,223|
dan=6,0,3,531|dsh=10,0,0,3646|ie5=6,0,2900,2180|
icw=5,0,2918,1900|ieh=6,0,2900,2180|iee=4,74,9273,0|
wmp=10,0,0,3646|obp=6,0,2900,2180|oex=6,0,2900,2180|
net=4,4,0,3400|tks=4,71,1968,1|mvm=5,0,3805,0&
pm_fptz=-7&pm_fpln=lang=en-us|syslang=en-us|
userlang=en-us&pm_fpjv=1&pm_fpco=1]]>
</ws:devicePrint>
<ws:ipAddress>11.224.14.15</ws:ipAddress>
</ws:deviceRequest>
<ws:identificationData>
<ws:orgName>org</ws:orgName>
<ws:userName>user</ws:userName>
<ws:userStatus>VERIFIED</ws:userStatus>
<ws:userType>PERSISTENT</ws:userType>
</ws:identificationData>
<ws:messageHeader>
<ws:apiType>DIRECT_SOAP_API</ws:apiType>
<ws:requestType>ANALYZE</ws:requestType>
<ws:version>7.0</ws:version>
</ws:messageHeader>
<ws:securityHeader>
<ws:callerCredential>password</ws:callerCredential>
<ws:callerId>callerId</ws:callerId>
<ws:method>PASSWORD</ws:method>
</ws:securityHeader>
<ws:autoCreateUserFlag>false</ws:autoCreateUserFlag>
<ws:eventDataList>
<ws:eventData>
<ws:eventType>SESSION_SIGNIN</ws:eventType>
</ws:eventData>
</ws:eventDataList>
<ws:runRiskType>ALL</ws:runRiskType>
</ws:request>
</ws:analyze>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:analyzeResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:analyzeReturn xsi:type="ns1:AnalyzeResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:deviceResult>
<ns1:authenticationResult>
<ns1:authStatusCode>FAIL</ns1:authStatusCode>
<ns1:risk>0</ns1:risk>
</ns1:authenticationResult>
<ns1:callStatus>
<ns1:statusCode>SUCCESS</ns1:statusCode>
<ns1:statusDescription/>
</ns1:callStatus>
<ns1:deviceData>
<ns1:bindingType>NONE</ns1:bindingType>
<ns1:deviceTokenCookie>PMV602kFUUIt2OSwKe6VUKh2suovadSSIg%
2BROPI5Xxuf2TxDj2Q3E2yKFlrcu8SM7FbtF7</ns1:deviceTokenCookie>
<ns1:deviceTokenFSO>PMV602kFUUIt2OSwKe6VUKh2suovadSSIg%
2BROPI5Xxuf2TxDj2Q3E2yKFlrcu8SM7FbtF7</ns1:deviceTokenFSO>
</ns1:deviceData>
</ns1:deviceResult>
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:groupName/>
<ns1:orgName>org</ns1:orgName>
<ns1:sessionId>7c953c87:1393f37177c:-7fd4</ns1:sessionId>
<ns1:transactionId>3df7-:c77173f3931:78c359c7_TRX</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>ANALYZE</ns1:requestType>
<ns1:timeStamp>2012-08-19T15:25:37.805Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:requiredCredentialList>
<ns1:requiredCredential>
<ns1:credentialType>QUESTION</ns1:credentialType>
<ns1:groupName>DEFAULT</ns1:groupName>
<ns1:preference>0</ns1:preference>
<ns1:required>true</ns1:required>
</ns1:requiredCredential>
</ns1:requiredCredentialList>
<ns1:riskResult>
<ns1:riskScore>19</ns1:riskScore>
<ns1:riskScoreBand>SCORE_BAND_0</ns1:riskScoreBand>
<ns1:triggeredRule>
<ns1:actionCode>CHALLENGE</ns1:actionCode>
<ns1:actionName>AuthDevNotBound</ns1:actionName>
<ns1:actionType>STRICT</ns1:actionType>
<ns1:clientFactList/>
<ns1:ruleId>AuthDevNotBound</ns1:ruleId>
<ns1:ruleName>AuthDevNotBound</ns1:ruleName>
</ns1:triggeredRule>
</ns1:riskResult>
</ns1:analyzeReturn>
</ns1:analyzeResponse>
</soapenv:Body>
</soapenv:Envelope>
Note: The following SOAP message sample uses the KBA authentication method.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ws:query xmlns:ws="http://ws.csd.rsa.com">
<ws:request>
<ws:identificationData>
<ws:userName>user</ws:userName>
<ws:userStatus>VERIFIED</ws:userStatus>
<ws:userType>PERSISTENT</ws:userType>
</ws:identificationData>
<ws:messageHeader>
<ws:apiType>DIRECT_SOAP_API</ws:apiType>
<ws:requestType>QUERY</ws:requestType>
<ws:version>7.0</ws:version>
</ws:messageHeader>
<ws:securityHeader>
<ws:callerCredential>password</ws:callerCredential>
<ws:callerId>callerId</ws:callerId>
<ws:method>PASSWORD</ws:method>
</ws:securityHeader>
<ws:credentialManagementRequestList>
<ws:acspManagementRequestData>
<ws:credentialProvisioningStatus>ACTIVE
</ws:credentialProvisioningStatus>
<ws:payload xsi:type="ns425:KBAManagementRequest"
xmlns:ns425="http://ws.kba.csd.rsa.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns425:action>GET</ns425:action>
</ws:payload>
</ws:acspManagementRequestData>
</ws:credentialManagementRequestList>
</ws:request>
</ws:query>
</soapenv:Body>
</soapenv:Envelope>
Note: The following SOAP message sample uses the KBA authentication method.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:queryResponse xmlns:ns1="http://ws.csd.rsa.com">
<ns1:queryReturn xsi:type="ns1:QueryResponse"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns1:identificationData>
<ns1:delegated>false</ns1:delegated>
<ns1:transactionId>c966-:769c1456931:a09cccb4_TRX</ns1:transactionId>
<ns1:userName>user</ns1:userName>
<ns1:userStatus>VERIFIED</ns1:userStatus>
<ns1:userType>PERSISTENT</ns1:userType>
</ns1:identificationData>
<ns1:messageHeader>
<ns1:apiType>DIRECT_SOAP_API</ns1:apiType>
<ns1:requestType>QUERY</ns1:requestType>
<ns1:timeStamp>2012-08-27T07:52:23.309Z</ns1:timeStamp>
<ns1:version>7.0</ns1:version>
</ns1:messageHeader>
<ns1:statusHeader>
<ns1:reasonCode>0</ns1:reasonCode>
<ns1:reasonDescription>Operations were completed
successfully</ns1:reasonDescription>
<ns1:statusCode>200</ns1:statusCode>
</ns1:statusHeader>
<ns1:credentialManagementResponseList
xsi:type="ns1:CredentialManagementResponseList">
<ns1:acspManagementResponseData>
<ns1:acspAccountId>user</ns1:acspAccountId>
<ns1:callStatus>
<ns1:statusCode>SUCCESS</ns1:statusCode>
<ns1:statusDescription/>
</ns1:callStatus>
<ns1:payload xsi:type="ns2:KBAManagementResponse"
xmlns:ns2="http://ws.kba.csd.rsa.com">
<ns2:personInfo>
<ns2:ssnInfo>
<ns2:ssnType>NOSSN</ns2:ssnType>
</ns2:ssnInfo>
<ns2:nameInfo>
<ns2:firstName>****</ns2:firstName>
<ns2:lastName>*******</ns2:lastName>
</ns2:nameInfo>
<ns2:addressInfo>
<ns2:street>**************</ns2:street>
<ns2:town>*******</ns2:town>
<ns2:postCode>*******</ns2:postCode>
</ns2:addressInfo>
<ns2:birthdayInfo>
<ns2:day>**</ns2:day>
<ns2:month>**</ns2:month>
<ns2:year>****</ns2:year>
</ns2:birthdayInfo>
</ns2:personInfo>
</ns1:payload>
</ns1:acspManagementResponseData>
</ns1:credentialManagementResponseList>
</ns1:queryReturn>
</ns1:queryResponse>
</soapenv:Body>
</soapenv:Envelope>