Skip to main content

Feature Variables

The Humifortis engine extracts and evaluates around 60 feature variables on every authentication event. These are vendor-agnostic — the same feature set works whether events come from Keycloak, Auth0, Okta, or a direct API integration. Connectors map their native field names to canonical feature names automatically.

Each feature is classified into a reliability tier that the engine uses internally when computing risk. Tier assignments are not published.


Network & Threat Intelligence

These features are computed entirely server-side from the client IP and are the most reliable inputs in the engine.

FeatureWhat it detects
network.is_torIP is a known Tor exit node — matched against a daily-synced list
network.is_vpnIP ASN belongs to a commercial VPN provider
network.is_anonymousAggregate flag: Tor or VPN detected (used as a suppression guard in travel detectors)
network.geo_countryCountry code from GeoIP — primary input for impossible-travel detection
network.asn_orgISP or organization owning the IP — flags hosting/datacenter origin
network.is_datacenterIP belongs to a cloud provider (AWS, GCP, Azure…) — advisory signal

Device Intelligence

The engine builds a multi-layer device identity from both server-computed and client-reported signals. Server-computed features cannot be spoofed by the client.

FeatureWhat it detects
device.server_fpServer-computed fingerprint from hardware signals (UA + screen + timezone + CPU + GPU + platform). Cross-validates the client-side device.id.
device.fp_binding_validAnti-replay binding result: valid, stale, mismatch, or absent. A mismatch means the device ID was tampered after the challenge was issued.
device.idFingerprintJS visitorId — the primary cross-login device identifier
device.webgl_vendorGPU vendor from WebGL (Intel, NVIDIA, Apple…) — difficult to spoof without hardware
device.is_botClient identified as an automated agent or headless browser
device.load_time_msPage-to-fingerprint completion time — detects automation and headless browsers
device.hash_perf_msSubtleCrypto benchmark — distinguishes real hardware from VM or bot farm
device.math_hashSHA-256 of FPU probe results — detects browser or hardware changes between sessions
device.math_anomalyMath probes return NaN or Infinity — strong indicator of a headless or instrumented engine

Identity & Account Context

These features describe who is authenticating and what their account state is at the time of the event.

FeatureWhat it provides
identity.is_privilegedUser holds admin or elevated roles — increases blast radius of a compromise
identity.mfa_methodsEnrolled MFA methods (TOTP, WEBAUTHN, PASSKEY…) — fed to POST /evaluate for step-up routing
identity.email_verifiedWhether the IdP has verified the user's email — required for safe EMAIL_OTP fallback
account.age_daysAccount age in days — new accounts have no behavioral baseline and carry higher prior risk
session.active_countNumber of concurrent active sessions — a spike may indicate session hijacking or credential sharing

Vendor-Agnostic Field Mapping

Each feature defines one or more sources — the raw field names that different connectors may use. The engine resolves them automatically. For example, network.geo_country accepts geo_country, country, or country_code from any connector.

You never need to rename your fields. Map once in the dashboard under Policies → Event Mappings, or rely on the automatic resolution for standard field names.


See Also