Feature Variables
The Humifortis engine extracts and evaluates around 60 feature variables on every authentication event. These are vendor-agnostic — the same feature set works whether events come from Keycloak, Auth0, Okta, or a direct API integration. Connectors map their native field names to canonical feature names automatically.
Each feature is classified into a reliability tier that the engine uses internally when computing risk. Tier assignments are not published.
Network & Threat Intelligence
These features are computed entirely server-side from the client IP and are the most reliable inputs in the engine.
| Feature | What it detects |
|---|---|
network.is_tor | IP is a known Tor exit node — matched against a daily-synced list |
network.is_vpn | IP ASN belongs to a commercial VPN provider |
network.is_anonymous | Aggregate flag: Tor or VPN detected (used as a suppression guard in travel detectors) |
network.geo_country | Country code from GeoIP — primary input for impossible-travel detection |
network.asn_org | ISP or organization owning the IP — flags hosting/datacenter origin |
network.is_datacenter | IP belongs to a cloud provider (AWS, GCP, Azure…) — advisory signal |
Device Intelligence
The engine builds a multi-layer device identity from both server-computed and client-reported signals. Server-computed features cannot be spoofed by the client.
| Feature | What it detects |
|---|---|
device.server_fp | Server-computed fingerprint from hardware signals (UA + screen + timezone + CPU + GPU + platform). Cross-validates the client-side device.id. |
device.fp_binding_valid | Anti-replay binding result: valid, stale, mismatch, or absent. A mismatch means the device ID was tampered after the challenge was issued. |
device.id | FingerprintJS visitorId — the primary cross-login device identifier |
device.webgl_vendor | GPU vendor from WebGL (Intel, NVIDIA, Apple…) — difficult to spoof without hardware |
device.is_bot | Client identified as an automated agent or headless browser |
device.load_time_ms | Page-to-fingerprint completion time — detects automation and headless browsers |
device.hash_perf_ms | SubtleCrypto benchmark — distinguishes real hardware from VM or bot farm |
device.math_hash | SHA-256 of FPU probe results — detects browser or hardware changes between sessions |
device.math_anomaly | Math probes return NaN or Infinity — strong indicator of a headless or instrumented engine |
Identity & Account Context
These features describe who is authenticating and what their account state is at the time of the event.
| Feature | What it provides |
|---|---|
identity.is_privileged | User holds admin or elevated roles — increases blast radius of a compromise |
identity.mfa_methods | Enrolled MFA methods (TOTP, WEBAUTHN, PASSKEY…) — fed to POST /evaluate for step-up routing |
identity.email_verified | Whether the IdP has verified the user's email — required for safe EMAIL_OTP fallback |
account.age_days | Account age in days — new accounts have no behavioral baseline and carry higher prior risk |
session.active_count | Number of concurrent active sessions — a spike may indicate session hijacking or credential sharing |
Vendor-Agnostic Field Mapping
Each feature defines one or more sources — the raw field names that different connectors may use. The engine resolves them automatically. For example, network.geo_country accepts geo_country, country, or country_code from any connector.
You never need to rename your fields. Map once in the dashboard under Policies → Event Mappings, or rely on the automatic resolution for standard field names.
See Also
- Derived Signals — patterns the engine detects automatically from these features
- Custom Event Mapping — map your own event types to the canonical vocabulary
- How Signals Work — scoring model and evidence accumulation