Login Inspector — User Manual – Sift Help Center

About Login Inspector

Login Inspector is a new feature that gives you more transparency into logins with similar attributes, so you can make better decisions, faster.

Login Inspector groups logins that have similar attributes (e.g., connection, location, and device information) into scannable profiles.

Grouping logins into profiles to distinguish trusted logins from unknown / untrusted logins.
Surfacing the most relevant information on each profile and login in a single view
Allowing analysts to explore further information without switching to another page.
Allowing batch decisions on all logins in a given profile.

These profiles provide enhanced context and highlight relevant attributes in an easy-to-navigate table, making it easier to dig in and find out more about both individual and grouped logins. The table lets analysts make batch decisions on logins. An interactive map that displays profiles and logins by location complements the profile and login table.

The Overview page

The Login Inspector groups together all successful logins for each account. The default view displays all historical successful logins scored by Sift, although analysts can choose to narrow their view to a particular period.
Failed logins and non-login activity can still be seen via the Locations card or in the Activity Log.

Profiles

When a unique identifier is available (cookie for a browser login or device ID for a native app login), we group all logins with the same value to a profile. Profiles based on a unique identifier may include logins from multiple locations and IP organizations (i.e., the ISPs or mobile carriers through which users access the internet).
In the absence of a unique identifier (indicated by the “missing identifier” icon), we group logins that share connection, location, and client attributes (namely: OS major version + browser + location + IP org). Such profiles include logins from one location and one IP org.

By default, the profiles are ordered by the time of the last login (most recent first). Analysts can change this order via the “Sort by” drop down.
By default, all past successful logins for the respective user are shown. Analysts can restrict this time period via the “Activity in” drop down.

The Profile Header

The profile is named by the browser and OS used.
The profile header shows the number of locations and IP org seen from the profile, as well as the date and location of the last login.
The profile color is indicated by the drop pin on its top-right corner; this color is used to identify logins from the relevant profile in the map.
The profile age is calculated from the date of the first successful login seen from that profile.
The row at the bottom of the header shows the following:

Total number of logins
Date and state of the last verification triggered by a login in the profile
Logins in the profile show both manual and automated decisions made. Analysts can expand the profile and examine individual logins to see if the decisions were manual or automated. We strongly encourage analysts to update a wrong automated decision with the correct manual decision. The Sift ATO model currently only considers manual decisions, so providing additional manual decisions helps train the model and improve its accuracy.

Logins

Logins for each profile are listed by newest first.
For each login, we present the score, date and time, location and IP org. Hover over the location and IP org to see additional information: full location (including state or region), the full IP address, and any other relevant alerts, such as “Location is over 500km from any previous location”, “IP is a TOR node”, or “IP is a proxy”.
When applicable, we present the verification status for the login, the decision made, and additional alerts such as change of user agent and number of failed logins before this login. Hover over each of these fields for additional information.
Values in red are deemed risky by our model. Hover over them for additional information.

Map

The pins on the map show login locations of their respective profiles. The colors match the profiles in the profile table.
By default, the map is zoomed and centered in on the relevant locations. Analysts may need to zoom out to see all profiles if they’re geographically spread out.
There are two special pins:

The stacked pin indicates multiple logins from the same profile at the same location.

The multi-typed pin is displayed in case multiple profiles have logged in from the same location. Clicking on the multi-typed pin shows a tooltip with the individual profiles’ colors:

Applying session decisions

To make a decision on a login, expand the profile and click the three dots icon next to the login.
You can apply the same decision to multiple logins in the same profiles:

Hover over the Decision column. Check boxes will show.
Check the boxes next to the logins you’d like to decide on.
Then, click the “Decision” column header and choose a decision. Your decision will be applied to all checked logins.

Note that logins with the same $session_id all receive the same decision. This is why you may notice additional checkboxes being checked when you check just one login.

Additional Notes

The “New” badge may appear next to a location, IP org, etc. to indicate a value that was not seen before for this account. For logins prior to August 2018, you may notice a value labeled as “New” for multiple logins in the same profile or account; we have updated the logic since then, but the update isn’t retroactive.
The profile name (e.g., “Chrome on Windows 10”) will show the full user agent on hover for logins from July 25, 2018 and after.
During the opt-in period (Nov 1-Nov 12), users can disable the Login Inspector and show only the session card by doing the following:

Go to “Edit Layout” at the top-right of the page:

Then select “Remove login inspector”:

Reach out to support@siftscience.com if you have any additional questions.