New Country vs. Changed Country, what's the difference?

As of the Curity Identity Server 5.1 release it is possible to leverage geolocation in actions, authenticator filters, and authenticator restrictions.

This article specifically outline what the difference between the New Country and Changed Country actions are.

General concepts of geolocation in Curity

The Curity Identity Server uses an internal database for geolocation data. No remote/external call is made from the server in order to determine the location data.

The geolocation data determined based on the client's IP address is not accurate enough to identify or pinpoint an individual user. Its purpose, specifically related to the two actions discussed in this article, is to determine the country the client request originates from. In some other configurations, the longitude/latitude is used to calculate how fast a user has been traveling in an Impossible Journey scenario.

When the Curity Identity Server is behind a reverse proxy, as it will be in most cases. The X-Forwarded-For header will be used since the direct IP address will be the one of the proxy and not the actual client. In those cases the proxy also needs to be white-listed in the Curity Identity Server in order for the proxy to be trusted and to avoid potential IP spoofing.

New Country

The New Country action is very simple to configure and only needs a Bucket to store data and an attribute name defined. The attribute is a boolean subject attribute that will be set based on the result of the geolocation.

If the attribute is not set the outcome will be that the user is in a new country and the boolean value will be set to True. This in its turn can be used by other chained actions and for example trigger the user to perform additional verifications such as MFA. As long as the user keeps logging in from the same country the boolean value will not be set to true and thus would not trigger a potential subsequent action. The value will now only change to True when the user logs in from a new country compare to any of the previous countries. This means that every time a new country is detected an action can be taken to perform a stronger verification of the user. If the user would authentication from any of the previous countries the boolean value will remain False.

Example scenario

An example here could be a user that works out of Belgium and authenticates there on a day-to-day basis. The user makes a business trip to Germany and authenticates while in Germany. This will trigger the New Country action attribute to be set to True and trigger MFA for the user. If the user then goes back home to Belgium no additional MFA is needed. If the user then travels to Denmark the attribute is again set to True and MFA triggered. When the user then travels to Belgium or Germany (or Denmark again) no additional MFA would be needed as the previous countries will be remembered.

Changed Country

Similar to the New Country action, the Changed Country actions is very simple to configure and uses the same configuration options. It needs a Bucket to store data and an attribute name for a boolean subject attribute.

In the case of the Changed Country action the boolean value will be set to True every time the user authenticates from a new country. This means that previous geolocations will be ignored and as long as the country is different from the previous country the value will be True.

Example scenario

In the example outlined above the difference would be that every time the user travels to a new country MFA would be triggered. The first trip to Germany would trigger MFA just like the New Country action. But the trip back to Belgium would also trigger MFA in our scenario when the Changed Country action is used. So would the trip to Denmark and the trip back to Germany.

Conclusion

The New Country and Changed Country actions are two new powerful tools that can be leveraged to make smarter decisions around when to take certain actions in for example verifying that the user says who they are. The two actions are very similar but with the distinct difference that the Changed Country does not "remember" previous countries visited and will trigger a boolean value to be set to True every time a user authenticates from a new country.