Some institutions allow users to conduct electronic transactions over a network. For example, a bank may provide a web application that allows an account holder to access an account, or a corporation may provide an intranet through which authorized employees can access sensitive documents. When a user initiates an electronic transaction, the user may provide a username and password to conduct the transaction. However, there is a risk that a malicious actor might fraudulently conduct a transaction by obtaining the username and correctly guessing the password.
To combat fraud, institutions commonly employ user authentication. Conventional approaches to user authentication involve obtaining device data, such as IP address, MAC address, and geolocation, from an electronic device operated by a user in response to the user requesting access to a secure resource. The extraction of the device data may be performed in a manner transparent to the user, e.g., by a Javascript application that runs in a browser or by some other application. In some cases, the device data are provided as inputs to a risk engine, which computes a risk score that indicates a likelihood that the transaction is fraudulent. For example, the risk engine takes device data as input and generates a risk score as output. The institution may then use the risk score to decide whether to grant or deny the user's request to access the resource.