User Journeys (Login Flows)

User Journeys (internally referred to as LoginFlows) are the core of Identix's authentication orchestration. They allow you to define exactly how a user authenticates, what challenges they face, and what policies apply during their session.

Key Concepts

Methods: Individual authentication steps (Password, OTP, Magic Link, Passkey, etc.).
Sequences: The order in which methods must be completed.
Policies: Rules governing session duration, rate limiting, and risk assessment.
UI Variants: Different visual layouts and templates for the authentication screens.

Configuring a User Journey

Each User Journey can be customized with the following settings:

1. General Configuration

Flow Name & Description: Identifiers for the journey.
Priority: Determines which journey is selected when multiple journeys match a request.
Default Status: Whether this is the fallback journey for a specific Relying Party or the entire system.

2. Authentication Strategy

Allow Method Selection: If enabled, users can choose their preferred authentication method (e.g., "Sign in with Password" or "Sign in with Magic Link").
Require All Methods: If enabled, the user must complete every configured method in the defined sequence (Multi-Factor Authentication).

3. Security & Protection

Rate Limiting: Prevent brute-force attacks by limiting attempts per timeframe.
Throttling: Introduce delays after failed attempts to slow down automated attacks.
reCAPTCHA v3: Integrated bot protection. You can specify different actions (e.g., login, register) for fine-grained risk scoring.
WAF Integration: Support for Web Application Firewalls (e.g., Cloudflare, AWS WAF).

4. Session Policies

Max Session Duration: Override the global session lifetime for this specific journey.
Idle Timeout: Set how long a session can remain inactive before requiring re-authentication.
Device Trust: Require that the user's device be recognized or managed.

5. Advanced Orchestration

External Interceptors: Call external webhooks during the authentication process to perform custom validation or data enrichment.
IDP Linking: Automatically link social/federated identities to existing local accounts based on defined rules.
Attribute Collection: Prompt users for missing profile information (e.g., phone number, job title) during the flow.
MFA Enforcement:
- NONE: No MFA required.
- ALWAYS_ON: MFA is mandatory for every login.
- CONDITIONAL: MFA is triggered based on risk levels or behavior events.
- GLOBAL_POLICY: Follow the system-wide MFA settings.

UI Customization

Identix supports multiple UI variants and templates:

Variants: Pre-defined layouts (e.g., Centered, Split Screen, Glassmorphism).
Templates: Custom HTML/CSS templates for full brand control.
IDP Providers: Choose which federated IDPs (Google, Microsoft, etc.) appear on the login page for this specific journey.

Risk-Based Authentication

User Journeys can react to risk levels provided by the internal Risk Engine:

Risk Levels: LOW, MEDIUM, HIGH.
Behavior Events: NEW_DEVICE, NEW_LOCATION, SUSPICIOUS_IP.
Actions: You can configure specific methods to trigger only when a certain risk level is reached (e.g., "Only trigger SMS OTP if risk is MEDIUM or HIGH").

Key Concepts​

Configuring a User Journey​

1. General Configuration​

2. Authentication Strategy​

3. Security & Protection​

4. Session Policies​

5. Advanced Orchestration​

UI Customization​

Risk-Based Authentication​