Transactional Authorization for E-Commerce Leveraging Intent-Based Authorization to Control Risk for Businesses and Shoppers.

layered background image

Determining Risk & Detecting Fraud for Individual Transactions

With online fraud on the rise, businesses engaging in e-Commerce must often decide if they are more willing to tolerate fraud than they are to introduce additional friction (such as additional authentication requirements) for their end-users. Ideally, such businesses could make decisions about when to introduce additional friction based on a thorough risk analysis leveraging all the contextual data available.

Unfortunately, most e-Commerce businesses rely on central systems for user authentication that can only perform such an analysis at the time of initial login (if at all), so the logic for risk analysis is built into the applications themselves. Building authorization and risk-determination logic into applications makes management of risk analysis algorithms and the security policies associated with them very cumbersome and costly. Moreover, the division of modern application infrastructures into sets of smaller services (e.g. microservices) means that any application-centric logic that needs to be leveraged by more than one service must exist in more than one location or be centralized for consumption by more than one service.

Transactional Authorization

Cloudentity decouples authentication from authorization to enable applications to request transaction-level authorization from the Administration Control Plane using OAuth 2 and OIDC open standards. These are subject to security policies that consider the context of not only the user, but also of the details of specific transaction being authorized and the conditions under which it is being requested.

The ability for a business to make a real-time decision about which transactions require additional authentication (and therefore additional friction for the end-user) and which ones don’t is the key to balancing end-user friction with safety for both the business and the end-user. Cloudentity provides such businesses with the flexibility to tailor their security policies and mitigation tactics to the specific risks and fraud patterns they are facing as well as the centralization and manageability to control and govern these policies at scale.

Data Governance with Dynamic Scopes: Govern transactions by applying policy to scopes with dynamic values that contain, for example, transaction IDs and/or payment amounts

Transactional Multi-Factor Authentication (MFA): Make dynamic decisions when a transaction occurs rather than only at the initial authentication

External Service Callouts: Invoke external Entitlement, Fraud or Risk endpoints to gather additional information during policy evaluation

Audit Event Access: Leverage historical data to determine the relative risk of a particular request

Policy-as-Code: Enable policy governance and change management within your SDLC

Scale & Performance: Grow your business with confidence that Cloudentity can easily scale to meet your needs


A major UK retailer is using Cloudentity authorize payments made on their latest closed-loop payment system available to customers for both online and in-store purchases. The user’s identity is established early in the shopping process, but when a payment is made the risk level is determined based on the size the payment, the historical behavior of the user (i.e. is the current request happening from a similar device at a similar location and time as previous transactions?), and information gathered from an external 3rd party Fraud detection system that is invoked during the authorization policy evaluation.

The union of these various contexts provides a solid footing on which the decision regarding whether to prompt a user for MFA before completing their transaction can be made.

How Cloudentity Can Accelerate Your DevOps


Define Sources of Contextual Information

Identify the user – who are they and how have they authenticated?

Identify the conditions of the request; user-agent, IP location, time-of-day, etc…

Query the Cloudentity audit repository to gather historical conditions of this user’s previous requests

Query external 3rd party sources of Fraud and Risk data



Define and Maintain Policies

Author Policies that consider all contextual information to make determinations regarding risk-level.

Select the methods of recovery that can be used to allow a user to complete a transaction that has been identified as high-risk. Cloudentity provides out-of-the-box support for OTP delivered via SMS or Email but can also integrate with 3rd party authentication providers to invoke the MFA mechanism required.

Policies are managed as code and are automatically validated and deployed via CI/CD pipelines whenever a change is committed.


Enable Applications to Authorize Transactions

Applications leverage Cloudentity for authorization using the OAuth 2 or OIDC open standards, making it simple to integrate both in-house and third-party applications

Applications are updated to require a specific access token payload to proceed with a transaction. The payload required might include the transaction (or shopping cart) ID and the amount to be paid as well as other information; permission to mint an access token with such a payload is governed by the policies defined in step 2.

By making a request at each transaction, the application is automatically creating a historical behavior profile for the user, thereby enhancing the performance of the policies already in place.