Risk Assessment#
Risk-assessment integrations — most prominently BankID — adjust authentication outcomes based on signals about the calling device: which operating system version, which app, which device model. the Curity Identity Server forwards those signals to the assessment service when a flow is at risk of fraud or coercion, allowing the service to require step-up authentication or deny the request entirely.
How It Works#
The mobile SDK does not produce a risk score itself. Instead, it gathers the device-context fields the assessment service expects and attaches them to outgoing HAAPI requests. The server then proxies the relevant fields to the configured risk-assessment provider during steps that require them.
Required context typically includes:
- Operating system name (for example,
iOS,Android) - Operating system version
- Device model name
- The app’s bundle or package identifier
The SDK collects these once at startup and persists them so the values remain stable across the flow.
Configuration#
The client provides a RiskAssessmentConfiguration to the HAAPI configuration builder. Because some fields read from UIKit-isolated APIs on iOS or Android system properties, the configuration is instantiated on the main thread early in the app lifecycle — typically the AppDelegate or @main struct on iOS, and Application.onCreate on Android.
For deeper detail on the collected fields and how the assessment service consumes them, see the official BankID Relying Party Guidelines for version 6.
Server support for risk-assessment integration requires the Curity Identity Server version 9.7.0 or later. On Android, set android:allowBackup="true" (the default) in AndroidManifest.xml so persisted device context survives backup-and-restore.
How to implement this: How to Integrate Risk Assessment · Risk Assessment (SDK Layer) · Risk Assessment (Driver Layer)