Skip to content

Require verification methods depending on user's Arkose Labs risk band

Eugie Limpin requested to merge ell-identity-verification-with-arkose-risk-band into master
  • Resolves: gitlab-org/modelops/anti-abuse/team-tasks#83
  • Depends on: !99202 (merged)

What does this MR do and why?

Update the Identity Verification feature to require new users the appropriate set of verification steps depending on their Arkose Labs risk band.

New user's Arkose Labs risk band Required verification steps (in order)
'Low' Email
'Medium' Phone Number, Email
'High' Credit Card, Phone Number, Email

Screenshots or screen recordings

Users with 'Low' Arkose Labs risk band

https://www.loom.com/share/c8cc0847894a4089b3fec41b64de9bac

Users with 'Medium' Arkose Labs risk band

https://www.loom.com/share/ceabfbb0c62741c096a6816e94e44019

Users with 'High' Arkose Labs risk band

https://www.loom.com/share/fd24e91f200c49e8ace09cedfda2f425

Set up

  1. Enable arkose_labs_signup_challenge feature. This feature is responsible for interfacing with Arkose Labs to assign a risk_band for new users. 
    $ rails console
> Feature.enable(:arkose_labs_signup_challenge)
> ApplicationSetting.first.update({ arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client' })
    Credentials are available in GitLab 1Password Engineering Vault
  2. Enable feature flags for identity verification 
    $ rails console
> Feature.enable(:identity_verification)
> Feature.enable(:identity_verification_phone_number)
> Feature.enable(:identity_verification_credit_card)

Validate

User with 'Low' Arkose Labs risk band

  1. Sign up for a new account. After, you should be redirected to the Identity Verification page (http://localhost:3000/users/identity_verification)
  2. Update the new user's risk band data to have 'Low' value 
    $ rails console
> u = User.last
> risk_band = u.custom_attributes.by_key('arkose_risk_band').first
> risk_band.update(value: 'Low')
  3. Refresh the Identity Verification page
  4. Validate that only email verification step is shown
    📸 Screen_Shot_2022-09-30_at_2.23.25_PM

User with 'Medium' Arkose Labs risk band

  1. Update the user's (the same user you created previously) risk band data to have 'Medium' value 
    $ rails console
> u = User.last
> risk_band = u.custom_attributes.by_key('arkose_risk_band').first
> risk_band.update(value: 'Medium')
  2. Refresh the Identity Verification page
  3. Validate that phone number AND email verification steps (in that order) are shown
    📸 Screen_Shot_2022-09-30_at_2.23.50_PM

User with 'High' Arkose Labs risk band

  1. Update the user's (the same user you created previously) risk band data to have 'High' value 
    $ rails console
> u = User.last
> risk_band = u.custom_attributes.by_key('arkose_risk_band').first
> risk_band.update(value: 'High')
  2. Refresh the Identity Verification page
  3. Validate that credit card, phone number AND email verification steps (in that order) are shown
    📸 Screen_Shot_2022-09-30_at_2.22.47_PM

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports