A typical Airlock IAM authentication session is anonymous at first and the accessing user is unknown. However, several contextual attributes from the HTTP request, e.g., access time, client IP address, cookies, or the "User-Agent" header can already be collected. From these basic attributes, derived attributes such as geolocation or browser fingerprints may be computed.
Then, the user provides credentials for the first authentication step, e.g., the user logs in using username and password. The first authentication step may also be non-interactive, for instance if a client certificate or an access token (e.g., a SAML assertion) is attached to requests. After the user has provided some initial means of authentication, Airlock IAM loads the user's profile to obtain user-specific attributes and persistent roles assigned to the user.
In addition, statistics of recent successful login sessions of this user are loaded. These login statistics are used to determine whether attributes of the current login session correspond to "normal" user login behavior or not.