Guides

Ex: Use Twosense Security Events to Trigger Real-Time Adaptive Authentication

Automatically step authentication up or down as risk changes, keeping protection aligned with real-time risks

Overview

Goal: Use Twosense as a Shared Signals Framework (SSF) transmitter so ITDR can receive risk-level security events, update a High Risk Users list, and trigger real-time adaptive authentication in Advanced Passwordless Authentication (APA).

In this example, Twosense detects that the person using an account may no longer be the expected user.

  1. Twosense sends a Security Event Token (SET) to ITDR indicating that the user’s risk level changed to high.
  2. ITDR uses a monitor to add the user to a High Risk Users list.
  3. The APA Default rule set uses that list to step up authentication on the user’s next authentication event.
  4. If the user successfully completes step-up authentication, they can continue, but they remain on the High Risk Users list.
  5. When Twosense later detects that the user’s behavior has returned to normal, it sends a low-risk SET to ITDR.
  6. ITDR uses a second monitor to remove the user from the High Risk Users list, returning the user to the standard authentication flow on future authentication events.

This example assumes Twosense is configured as an SSF transmitter and ITDR is configured to receive Security Event Tokens.

Before You Begin

You need:

  • An APA license, which includes an ITDR tenant
  • A Twosense license that can send SETs
  • Permission to configure SSF transmitters
  • Permission to create lists, monitors, and rule set changes in ITDR
  • An APA Default rule set, which three versions (Strict, Moderate, or Permissive) are automatically created when an ITDR tenant is provisioned for APA

Step 1: Configure Twosense as an SSF Transmitter

Configure Twosense to send security events to ITDR.

Twosense acts as the transmitter. ITDR acts as the receiver. Once configured, Twosense can send supported CAEP events, such as a Risk Level Change, into ITDR.

To configure the transmitter:

  1. Log in to itdr.imprivata.com.
  2. Click the Account icon in the top-right corner.
  3. Select Settings.
  4. Scroll down to the Shared Signal Framework section.
  5. Click Add on the SSF Transmitter card.
  6. Enter the required configuration details:
    1. Source Name: Twosense
    2. Issuer URL: https://ssf-beta.twosense.ai/.well-known/ssf-configuration
    3. Bearer Token: Copy this from your Twosense instance.
  7. Click Test Configuration to confirm that ITDR can connect to the transmitter.
  8. If the test is successful, click Save.

After the transmitter is configured, Twosense can send SETs to ITDR when supported security events occur.

After the transmitter is saved, ITDR displays the transmitter in the Shared Signals Framework section with a stream status.

The stream status indicates whether the transmitter is currently connected and available. For example:

  • Active: The stream is connected and available.
  • Error: The stream could not be created or verified. Review the error message, confirm the issuer URL and bearer token, and try again.

You can also click Verify Stream to re-check the connection. ITDR displays the last verified timestamp so you can see when the stream was most recently validated.

Twosense transmitter showing Active status

Twosense transmitter showing Error status

Once the transmitter is active, Twosense can send Security Event Tokens (SETs) to ITDR when supported security events occur.

Step 2: Create a "High Risk Users" List

Create an empty list that ITDR will automatically update with high-risk users.

Your APA Default rule set will reference this list to determine when a user should receive stepped-up authentication. Your security team can also use the list to investigate suspicious activity further if needed.

To create the list in ITDR:

  1. Go to Lists.
  2. Click the orange + button.
  3. Name the list High Risk Users.
  4. Add a short description, such as: Tracks users automatically added by ITDR when third-party risk signals indicate elevated risk.
  5. Click Save.

This list starts empty. It will be updated automatically by monitors in a later step.

Step 3: Add a Rule to the APA Default Rule Set to Step Up Authentication for High-Risk Users

Add a rule to your APA Default rule set that checks whether the user is on the High Risk Users list.

When a user is on the list, the APA Default rule set can apply a higher-risk outcome and require a stronger authentication method on the next authentication event.

To configure the rule:

  1. Go to Rule Sets.
  2. Open the APA Default rule set you want to update, such as APA Default (Moderate).
  3. Edit the Active version.
  4. Add a new rule.
    1. Define the condition:
      1. Filter: Lists
      2. Operator: Is
      3. Value: High Risk Users
    2. Select the API response outcome:
      1. Outcome: HIGH
    3. Click Done.
  5. Move this rule above any existing rules with an API response outcome of "MEDIUM" or "LOW".
  6. Click Save on the Active version of the rule set.
⚠️

Rules are evaluated in order. Place the High Risk Users rule above lower-risk rules so users on the list receive the HIGH outcome. Otherwise, a high-risk user may match a lower-risk rule first and receive a MEDIUM or LOW outcome instead.

Result: When a user is on the High Risk Users list, the next authentication event uses the High outcome. The user is prompted to complete the step-up authentication method configured for that outcome in EAM.

Step 4: Create Monitors to Automatically Update the High Risk Users List

Create two (2) monitors to keep the High Risk Users list aligned with Twosense risk changes.

  1. The first monitor adds users to the list when Twosense sends a high-risk SET.
  2. The second monitor removes users from the list when the user successfully completes step-up authentication, or when Twosense sends a SET indicating that the user’s risk level returned to low.

Monitor 1: Add users to the High Risk Users list when risk increases

Create a monitor that detects when Twosense sends a high-risk SET.

In this example, Twosense detects that a user’s risk has changed to high and sends the following CAEP event to ITDR:

set.caep.risk-level-change.currentLevel = "high"

To configure the monitor:

  1. Go to Monitors.
  2. Click the orange + button.
  3. Name the monitor, such as Twosense: Add flagged users to High Risk Users list.
  4. Define the condition:

    1. Filter: Event Type

    2. Operator: Is

    3. Event Type: SSF_SECURITY_EVENT

      AND

    4. Filter: set.caep.risk-level-change.currentLevel

    5. Operator: Is

    6. Value: high

  5. Add an action:
    1. Action: Add to List
    2. List: High Risk Users
    3. List Items: Account ID (or Email)
    4. Expires: Never
  6. Click Save.

Result: When Twosense sends a high-risk SET, ITDR automatically adds the user’s Account ID to the High Risk Users list. On the next authentication event, the APA rule set sees that the user is on the list and prompts the user to complete step-up authentication.

Monitor 2: Remove users from the list when Twosense risk returns to low

Create a second monitor that removes users from the High Risk Users list when Twosense sends a SET indicating that the user’s behavior has returned to normal and their risk level is now low.

Successful step-up authentication does not trigger a low-risk SET from Twosense. Twosense sends a low-risk SET only when it determines that the user’s behavior has returned to normal.

In this example, the low-risk CAEP event received by ITDR is:

set.caep.risk-level-change.currentLevel = "low"

To configure the monitor:

  1. Go to Monitors.
  2. Click the orange + button.
  3. Name the monitor, such as Twosense: Remove low-risk users from High Risk Users list.
  4. Define the condition:
    1. Filter: Event Type
    2. Operator: Is
    3. Event Type: SSF_SECURITY_EVENT AND
    4. Filter: set.caep.risk-level-change.currentLevel
    5. Operator: Is
    6. Value: low
  5. Add an action:
    1. Action: Remove from List
    2. List: High Risk Users
    3. List Items: Account ID (or Email)
  6. Click Save.

Result: When Twosense sends a low-risk SET, ITDR automatically removes the user’s Account ID from the High Risk Users list. On the next authentication event, the user is no longer evaluated as high risk and returns to the standard authentication method associated with the lower-risk outcome.

Result: Adaptive Authentication Based on Twosense Security Event Tokens

With this configuration:

  • Twosense detects when a user’s risk changes.
  • Twosense sends the risk change to ITDR as a Security Event Token.
  • ITDR uses monitors to automatically add or remove the user from the High Risk Users list based on Twosense risk-level changes.
  • The APA Default rule set checks whether the user is on the High Risk Users list.
  • When the user is on the list, the APA Default rule set applies the High outcome and prompts the user for step-up authentication on the next authentication event.
  • If the user successfully completes step-up authentication, they can continue, but they remain on the High Risk Users list until Twosense determines their behavior has returned to normal.
  • When Twosense sends a low-risk SET, ITDR removes the user from the High Risk Users list.
  • On future authentication events, the user returns to the standard authentication method associated with the lower-risk outcome.

SET was received by ITDR as set.caep.risk-level-change.currentLevel = "high" for [email protected]

Subsequently, the Account ID = "[email protected]" was added to the High Risk Users list

🚀

Why This Matters: This configuration allows security teams to combine Twosense risk signals with ITDR’s own detections in one centralized place, then use those signals to drive real-time adaptive authentication and automated response.

Updated about 1 hour ago