Transaction Correlation

Edit online

The IBM Verify application supports transaction correlation to help prevent fatigue attacks. To approve a transaction, users must provide a correlation value from the transaction initiation to the IBM Verify application.

There are two ways to enable transaction correlation:

  • Update the extras map using a mapping rule.
    Set the correlationEnabled property to true in the extras map, which is passed to the mobile multi-factor authenticator mechanism during initiation. The extras map is set in the infomap mapping rule authentication (started in the authentication policy before the mobile multi-factor authenticator is initiated). For example: 
    context.set(Scope.SESSION, "urn:ibm:security:asf:mmfa", "extras", '{"correlationEnabled": "true", "type": "transaction"}');
    You can also set the correlation value in the extras map. For example:
    context.set(Scope.SESSION, "urn:ibm:security:asf:mmfa", "extras", '{"correlationEnabled": "true", "correlationValue":"' + generateRandomCode() + '", "type": "transaction"}');

    Where generateRandomCode() is a JavaScript function within the infomap that generates a random correlation value.

  • Set the values in the mobile multi-factor authenticator policy step.
    Update the mobile multi-factor authenticator initiate mode policy step properties.
    • Set the correlationEnabled property to true.
    • Optionally, set the correlationValue to the preferred value. This value can be a session attribute set in a previous mapping rule.
Note: If both methods for correlation enablement or correlation value have been used, the mobile multi-factor authenticator policy step method will take precedence.
Note: The correlationValue entry must be a string. It must contain only alphanumeric characters with a length between 2 and 128.
Note: If correlation is enabled but the correlation value is not provided, a two-digit correlation value is automatically generated from the transaction ID and displayed to the user.
Note: The correlationValue parameter allows you to configure the character set and entropy (length and randomness) of the correlation value as required. The automatically generated correlation value is always two digits and is derived from the transaction ID.
When correlation is enabled the following changes in the transaction approval flow occur:
  1. The transaction wait page, login_wait.html, displays the correlation value to the user.
  2. The extras map is sent to the IBM Verify application during transaction pull or push. This action requires the user to enter the correlation value for verification after selecting the transaction approve button.