000036124 - Questions and answers about the fact 'IP Location is Diff from Usual' in RSA Adaptive Authentication (OnPrem) 7.x

Document created by RSA Customer Support Employee on Jul 19, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036124
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.x
ResolutionCustomer used the fact "IP Location is different from usual" in a Policy Management rule.  They want to make sure the user is coming from the usual IP address.

They had the following questions:

Q1) Is there a way to accomplish this functionality not using the location?  Another rule or fact that can achieve the same results?
There is no other fact which works similar to "IP Location is Diff from Usual". Device is more powerful entity than location.  If you want to check if device is moved to a new location, you can use a combination of facts to achieve this.

Q2) A user was logging in from the same IP address but had their IP City changed from “London” to “Islington”.  Is this because the user physically moved? Did the GeoIP file give a more precise location from where the user always logged in from? If the geoIP resulted in a more accurate location, and it caused the location to be considered “new” then is it true that every time we update the geoIP file a subset of users would be impacted with false positives and subject to challenge for new location?
Location has become more accurate in this case when updating the GeoIP file, and the recommendation is to change it every month.

Q3) We are concerned that each time we update the GeoIP file, a subset of our users would be challenged for false positives since MaxMind information could change their IP Region/IP City even though their location didn’t change.
GeoIP is dependent on MAXMIND so we cannot claim that the location will not change.

Q4) A user was logging in from city A from August 2017 to December 2017, then logged in from city B from December 2017 to January 2017.  How long does it take for an IP City or location to be considered “usual”?  What is the concept of usual?
An IP will become usual once it will be hit or executed the process more than any other IP (the count increases only for the successful authentication call and user update call).  The previous IP is hit from August to December and while new IP is hit only for a month there are great chances that it has not become usual yet.

“IP Location is Diff from Usual” fact specifies whether the geographic location of the incoming IP address is different from the geographic location of the IP address that the end user most commonly uses. 
In AA we maintain most commonly used (i.e. Usual meaning here) IP Location for an end user and if any location coming in the transaction is different than the usual then the rule would get triggered. We maintain counts of the IP locations used by an end user and the IP Location with the maximum count becomes the usual IP Location for that particular user.  So whenever a new IP address is coming definitely the rule will get triggered as it would be different than usual until this new IP becomes the usual (most commonly used).  This doesn’t mean it will get triggered only for the new locations it can get triggered for any location which has a number of uses less than the usual IP location (most commonly used).

There is no step-up challenge to speed up trusting new location.

Q5) Where are longitude and latitude captured?
Currently, we are not saving latitude and longitude.