Frequently Asked Questions
General
What is Humifortis?
Humifortis is an adaptive authentication layer on top of your existing IAM. It continuously scores identities (users, devices, sessions, API keys) based on security signals, and tells your authentication system whether to allow, challenge, or block each login — in real time, under 100 ms.
It does not replace your IAM. It makes it smarter.
How is it different from a SIEM?
A SIEM collects and stores logs for analysis and compliance. Humifortis scores in real time and enforces decisions inline with the authentication flow. By the time a SIEM alert fires, the session is already open. Humifortis blocks it before the token is issued.
Does it replace Keycloak / Okta / Auth0?
No. Humifortis adds a risk intelligence layer on top of your existing IdP. The Keycloak connector installs as a plugin — your users still log in through Keycloak, your apps still trust Keycloak tokens. Humifortis simply influences whether Keycloak completes the authentication or not.
Can I run it on-premise?
Yes — and this is a first-class option. Humifortis is designed for self-hosted deployment. Docker Compose, bare-metal systemd service, and air-gapped environments are all supported. No data leaves your network.
Is there a free tier?
Self-hosted: Free to run. The engine is open-core.
SaaS: Usage-based pricing with a free evaluation period for new tenants. → Pricing
Technical
What is a risk score?
A number from 0 to 100 that represents how suspicious a given identity's recent behavior is. 0 = completely clean. 100 = extremely suspicious. Scores increase when bad signals arrive (failed logins, Tor IP, new country) and decrease when trust is confirmed (MFA success) or time passes without incidents.
How fast is it?
Risk score queries return in under 100 ms. Event ingestion is async and does not block the caller. The Keycloak connector adds ~50–150 ms to the login flow (configurable timeout).
How does the Keycloak connector work?
The connector is a Java JAR installed in Keycloak's providers directory. It provides four Keycloak SPI components wired into the authentication flow:
- HumifortisDeviceCollector — silently collects 40+ device signals (FingerprintJS) before credentials are evaluated
- HumifortisRiskAuthenticator — calls
POST /api/v1/evaluatewith the full login context and enforces the returned decision (ALLOW,CHALLENGE_MFA, orBLOCK) - HumifortisHighCondition + HumifortisStepUpRouter — handle the MFA step-up when
CHALLENGE_MFAis returned
A separate HumifortisEventListener captures background events (logout, password change, TOTP updates, etc.) and forwards them asynchronously. This all happens before Keycloak issues any token.
What signals does the engine compute automatically?
Beyond the events you send, the engine automatically detects:
- Impossible travel — same user from two distant geos within minutes
- Velocity burst — unusual request rate from the same IP
- New device — first-seen browser/OS fingerprint for this identity
- Tor/VPN/proxy — IP matches known threat intelligence feeds
- Brute force — repeated failures followed by a success
What is CAEP?
CAEP (Continuous Access Evaluation Protocol) allows Humifortis to revoke or challenge active sessions in real time — after the login has already happened. If a user's risk score jumps while they are logged in, Humifortis pushes a signed Security Event Token (SET) to any registered CAEP receiver, which can then force re-authentication or terminate the session.
Can I use it without Keycloak?
Yes. Any system that can make an HTTP POST can send events directly to the REST API. The Keycloak connector is the most complete integration (with inline enforcement), but the API works with any IAM or application.
Operations
What does "fail-open" mean?
If Humifortis is unreachable (network issue, restart), the Keycloak connector is configured with HUMIFORTIS_FALLBACK_ALLOW=true by default. Logins proceed normally rather than failing. For high-security environments, set HUMIFORTIS_FALLBACK_ALLOW=false to block logins when the risk engine is unavailable.
How do I roll this out safely?
Start the Humifortis engine in Dry-Run mode (configured server-side, per-tenant in the Humifortis dashboard — not a connector env var). In Dry-Run, risk scores are computed and playbook rules are evaluated, but no user is ever blocked or challenged. Watch the Entities dashboard for a few days to understand normal patterns, then switch to Enforce mode when you're confident.
Does it affect login performance?
The connector adds ~50–150 ms to the login round-trip (the HTTP call to Humifortis). This is within the acceptable range for most SSO flows. The timeout is configurable via HUMIFORTIS_TIMEOUT_MS.
How do I update the engine?
For Docker Compose: docker compose pull && docker compose up -d. Database migrations run automatically on startup. For bare-metal: replace the binary and systemctl restart humifortis.