AccessGate

Continuous authentication that verifies users by how they behave, not just what they know.

AccessGate analyzes behavioral signals—typing patterns, mouse movements, navigation behavior—to verify user identity throughout a session. Stolen credentials become useless because attackers can't replicate the legitimate user's behavioral fingerprint.

The Problem

Traditional authentication fails after the gate:

User enters password ✓
User passes MFA ✓
Attacker hijacks session...
No further verification 🚨

Credentials can be phished. Sessions can be hijacked. MFA can be fatigued. Once past the front door, traditional systems assume the user is legitimate—until it's too late.

Account Takeover (ATO) is accelerating:

Credential stuffing attacks are automated
Phishing kits defeat real-time MFA
Session tokens are traded on dark markets
Insider threats bypass perimeter controls

The AccessGate Approach

Verify continuously, not once.

AccessGate builds a behavioral fingerprint for each user and verifies it throughout their session. Every interaction generates signals; every signal contributes to identity confidence.

text

Traditional Auth              AccessGate
─────────────────            ─────────────────
Login → Trust Forever        Login → Verify
                               │
                             Action → Verify
                               │
                             Action → Verify
                               │
                             Payment → Verify

How It Works

Three-Phase Architecture

text

┌─────────────────────────────────────────────────────┐
│  PHASE 1: PASSIVE COLLECTION (Browser)              │
│                                                     │
│  • SDK loads on page                                │
│  • Listens to mouse, keyboard, scroll, navigation  │
│  • Stores events in memory                          │
│  • NO data transmitted yet                          │
└─────────────────────────────────────────────────────┘
                        │
              User clicks "Login"
                        │
                        ▼
┌─────────────────────────────────────────────────────┐
│  PHASE 2: CHECKPOINT TRIGGERED (One API Call)       │
│                                                     │
│  • sdk.collect() bundles all data                   │
│  • Your backend receives: email, password,          │
│    behavioral data                                  │
│  • Backend forwards to AccessGate API               │
└─────────────────────────────────────────────────────┘
                        │
                    <200ms
                        │
                        ▼
┌─────────────────────────────────────────────────────┐
│  PHASE 3: ANALYSIS & DECISION (Edge)                │
│                                                     │
│  • Load user's behavioral baseline                  │
│  • Analyze patterns across 7 dimensions            │
│  • Calculate deviation from baseline                │
│  • Return risk score + decision                     │
└─────────────────────────────────────────────────────┘

The Seven Dimensions

AccessGate analyzes behavior across multiple signal types:

Dimension	Signals	Detects
Keystroke Dynamics	Typing speed, rhythm, key hold duration	Bots, credential stuffing
Mouse Movement	Speed, acceleration, curves, hesitation	Automation tools, ATO
Device Fingerprint	Browser, screen, fonts, timezone	Unknown devices
Geographic Signals	IP location, impossible travel, VPN	Credential reuse
Session Patterns	Login times, duration, navigation	Abnormal usage
Phone/Carrier	Number changes, carrier switches, VOIP	SIM swap fraud
Network Intelligence	ASN patterns, datacenter detection	Anonymizing infrastructure

Behavioral Baselines

AccessGate builds a profile for each user without requiring labeled training data:

Learning phase (first 5-10 sessions):

Collect behavioral data
Allow by default with relaxed thresholds
Build statistical baselines

Protection phase (session 10+):

Full protection with established baseline
Continuous adaptation to legitimate changes
Instant detection of anomalies

Key insight: The system learns what's "normal" for each individual user—not what's normal across all users. This makes it resilient to adversarial gaming.

Attack Detection

Credential Stuffing

Attack pattern: Bot cycles through stolen credential pairs at high speed.

Detection signals:

Typing speed: Mechanical, too fast (120+ WPM)
Mouse movement: Straight lines, no hesitation
Rhythm variation: Zero (humans have natural variation)
Error rate: Zero (humans make typos)

Result: Blocked before login completes.

Account Takeover (Phishing)

Attack pattern: Attacker obtains credentials via phishing, logs in as victim.

Detection signals:

Device fingerprint: Unrecognized
Typing patterns: Doesn't match baseline
Geographic: Different location/timezone
Session timing: Unusual hours

Result: Step-up authentication or block.

Session Hijacking

Attack pattern: Attacker steals session token, accesses account mid-session.

Detection signals:

Behavioral shift: Dramatic change in patterns
Device change: Different fingerprint mid-session
Navigation: Immediate target of high-value actions

Result: Session terminated, re-authentication required.

Bot Account Creation

Attack pattern: Automated account creation for fraud schemes.

Detection signals:

Form fill speed: Too fast for human
Mouse patterns: Programmatic movements
Navigation: No exploration, direct paths
Fingerprint: Known bot signatures

Result: Blocked, CAPTCHA triggered.

SDK Integration

Installation

html

<!-- Add to your page -->
<script src="https://cdn.runloci.com/accessgate-sdk.min.js"></script>
<script>
  const sdk = new AccessGateSDK({
    enableBehavioralBiometrics: true,
    maxMouseEvents: 500,
    maxKeystrokeEvents: 200,
    trackNavigation: true
  });
</script>

Collecting Data

javascript

// At critical moments (login, payment, etc.)
form.addEventListener('submit', async (e) => {
  e.preventDefault();
  
  // Collect all behavioral data
  const data = await sdk.collect({
    includeLocation: true,
    includeBehavioral: true
  });
  
  // Send to your backend with credentials
  await fetch('/api/login', {
    method: 'POST',
    body: JSON.stringify({
      email: form.email.value,
      password: form.password.value,
      accessgate_data: data
    })
  });
});

SDK Performance

Metric	Value
Size	<10KB gzipped
Memory	<1MB
CPU impact	Negligible
Network	Zero until collect()

API Integration

Risk Check

bash

POST /accessgate/v1/check

curl -X POST https://api.accessgate.runloci.com/v1/check \
  -H "Content-Type: application/json" \
  -H "x-org-id: YOUR_ORG_ID" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{
    "email": "[email protected]",
    "ip": "102.88.34.45",
    "device": {
      "user_agent": "Mozilla/5.0...",
      "fingerprint": "a3f8c9d4e5b2f1a0..."
    },
    "behavioral": {
      "mouse_events": [...],
      "keystroke_events": [...]
    },
    "context": {
      "action": "login",
      "user_id": "user_123"
    }
  }'

Response

json

{
  "decision": {
    "outcome": "allow",
    "score": 23,
    "threshold": 60,
    "confidence": 0.92,
    "reasons": []
  },
  "ip_checks": [
    {"type": "tor", "result": "no_match"},
    {"type": "vpn", "result": "no_match"}
  ],
  "device_info": {
    "type": "desktop",
    "os": "Windows",
    "browser": "Chrome",
    "bot": false,
    "risk": "low"
  },
  "metadata": {
    "processing_time_ms": 85
  }
}

Decision Handling

Outcome	Score	Action
`allow`	0-59	Proceed normally
`review`	60-84	Trigger step-up auth (2FA, CAPTCHA)
`block`	85-100	Reject, alert user

Session Management

Get Active Sessions

bash

GET /accessgate/sessions/{entity_id}

curl "https://api.accessgate.runloci.com/accessgate/sessions/user_123" \
  -H "x-org-id: YOUR_ORG_ID" \
  -H "x-api-key: YOUR_API_KEY"

Terminate Sessions

For fraud response or account security:

bash

POST /accessgate/sessions/{entity_id}/terminate

curl -X POST "https://api.accessgate.runloci.com/accessgate/sessions/user_123/terminate" \
  -H "x-org-id: YOUR_ORG_ID" \
  -H "x-api-key: YOUR_API_KEY"

Detection Rates

Attack Type	Detection Rate	False Positive Rate
Credential stuffing	99%+	<1%
Account takeover (phishing)	85-95%	<1%
SIM swap fraud	85-90%	<2%
Session hijacking	95%+	<0.5%
Bot account creation	99%+	<0.5%

Privacy & Compliance

What We Store

Stored (behavioral patterns):

Typing speed statistics (mean, variance)
Mouse movement statistics
Device fingerprints (hashed)
Session metadata

NOT stored:

Keystroke content (what you typed)
Full mouse coordinate traces
Browsing history

Data Retention

Behavioral baselines: 90 days
Session data: 24 hours
All data encrypted at rest

Compliance

GDPR-compliant data minimization
CCPA deletion endpoints available
Purpose limitation (fraud detection only)
90-day auto-expiration

Layering with MFA

AccessGate complements—doesn't replace—MFA:

text

Layer 1: Password
    │
    ▼
Layer 2: AccessGate (behavioral check)
    │
    ├── Low risk → Proceed
    │
    └── High risk → Layer 3: MFA

Benefits:

Most attacks caught before MFA (reduces SMS costs)
Better UX (legitimate users rarely see MFA)
Defense in depth

Next Steps

Getting Started Guide — 30-minute integration
SDK Reference — Complete SDK documentation
Session Management — Advanced session controls
API Reference — Complete endpoint documentation