Challenge logins from new country or device

Make sure your user accounts are as secure as possible.

As a part of the measures for protecting your users against account takeovers, you can choose to activate step-up authentication, whenever the user shows behavior outside normal. Step-up verification can be anything that requires the user to prove that they own the account, like e.g. multi-factor authentication or a simple E-mail verification.

In this guide you will set up Castle to return a challenge response whenever a user logs in from a new country or device. Once the user has passed the extra verification, they will be added to an allow list to prevent from being challenged repeatedly.


Adjust what is suspicious for your business

In this tutorial you will learn how to set up policies to challenge users logging in from a new device or from a new country. However this is only an example: we encourage you to adjust the policy to challenge user to the needs of your business.

Overview of the challenge flow we'll set up at login

Overview of the challenge flow at login

Step 1. Create required lists

First, head over to the lists management page and create two new lists that will hold challenged and trusted devices of a user:

List NamePrimary EntitySecondary EntityAuto-archivation time
Challenged DevicesUser IDDevice Fingerprint
Trusted User DevicesUser IDDevice Fingerprint20160 minutes (14 days)

From the Trusted User Devices list, we'll set the default auto-archivation to 14 days (14 Γ— 24 Γ— 60 = 20160 minutes), but depending on your requirements you may choose to shorten/increase this.

Step 2. Create the policies

Now configure four new policies from the policies page. The order of policies matters, so make sure to reorder them properly if needed:

Event name: Login Succeeded

OrderPolicy NameTriggerActions
1Allow trusted device loginsList matches Trusted User Devices- Return allow action
2Challenge devices in listList matches Challenged Devices- Return challenge action
3Challenge new device or countrySignals is one of new_device, new_country- Add to list Challenged Devices
- Return challenge action

Event name: Challenge Succeeded

OrderPolicy NameTriggerActions
1Trust device on challengeNo condition- Add to list Trusted User Devices
- Remove from list Challenged Devices
- Return allow action


Enable your new policies

After creating policies you need to remember to enable them. Otherwise your new flow will not work.


Your app just became more secure while lowering the user friction to the required minimum!