The Continuous Session Trust Re-Scoring Framework shifts from traditional one-time login verification to real-time, continuous evaluation of session trust throughout the entire lifecycle. This system continuously monitors behavioral signals, context changes, and threat indicators to dynamically adjust trust levels and enforcement actions—all without requiring explicit logout/login cycles.
- ✅ Real-time Trust Scoring - Continuous evaluation on every request
- ✅ 8 Trust Components - Multi-dimensional trust assessment
- ✅ Dynamic Enforcement Tiers - NORMAL → MONITORED → CHALLENGED → TERMINATED
- ✅ Anti-Friction Controls - Adaptive thresholds minimize false positives
- ✅ Confidence-Aware Challenges - Intelligent challenge selection
- ✅ User Baseline Learning - Personalized trust thresholds
┌─────────────────────────────────────────────────────┐
│ Continuous Session Trust Framework │
├─────────────────────────────────────────────────────┤
│ │
│ ┌────────────────────────────────────────────┐ │
│ │ 1. Behavior Signal Collection │ │
│ │ - Endpoint sensitivity │ │
│ │ - Request cadence anomalies │ │
│ │ - Geo/location drift │ │
│ │ - User agent consistency │ │
│ │ - Privilege transitions │ │
│ │ - Re-auth attempts │ │
│ │ - Known threat indicators │ │
│ └────────────────────────────────────────────┘ │
│ ▼ │
│ ┌────────────────────────────────────────────┐ │
│ │ 2. Trust Scoring Engine │ │
│ │ - Calculate 8 component scores │ │
│ │ - Apply adaptive thresholds │ │
│ │ - Weighted composite scoring │ │
│ └────────────────────────────────────────────┘ │
│ ▼ │
│ ┌────────────────────────────────────────────┐ │
│ │ 3. Enforcement Tier Evaluation │ │
│ │ - NORMAL (90-100): Allow │ │
│ │ - MONITORED (70-89): Log activity │ │
│ │ - CHALLENGED (40-69): Verify identity │ │
│ │ - TERMINATED (<40): Kill session │ │
│ └────────────────────────────────────────────┘ │
│ ▼ │
│ ┌────────────────────────────────────────────┐ │
│ │ 4. Challenge Orchestration │ │
│ │ - Confidence-aware selection │ │
│ │ - Anti-friction throttling │ │
│ │ - Multi-channel delivery │ │
│ └────────────────────────────────────────────┘ │
│ ▼ │
│ ┌────────────────────────────────────────────┐ │
│ │ 5. Adaptive Learning │ │
│ │ - False positive tracking │ │
│ │ - Baseline model training │ │
│ │ - Auto-threshold adjustment │ │
│ └────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────┘
Measures: Risk based on accessed endpoint sensitivity
- Critical endpoints (admin, export, delete): High penalty
- Usual endpoints: No penalty
- Unknown endpoints: Moderate penalty
Scoring:
- Normal access: 100
- Sensitive access: 75-90
- Critical access: 50-75
Measures: Unusual request timing patterns
-
50% deviation from baseline: Penalty
- Bot-like patterns: High penalty
- Burst requests: Moderate penalty
Scoring:
- Normal rate: 100
- Slight anomaly: 80-95
- High anomaly: 50-80
Measures: Location-based risk assessment
- Impossible travel: Critical penalty
- New country: High penalty
- New city (same country): Moderate penalty
Scoring:
- Normal location: 100
- New city: 80-95
- Impossible travel: 0-50
Measures: Browser/device consistency
- Browser change: Moderate penalty
- OS change: High penalty
- Complete UA change: Very high penalty
Scoring:
- Consistent: 100
- Minor change: 85-95
- Major change: 60-80
Measures: Session token freshness
- <6 hours: Excellent
- 6-12 hours: Good
- 12-24 hours: Aging
-
24 hours: Very old
Scoring:
- Fresh (<6h): 100
- Aging (12-18h): 70-85
- Old (>24h): 30-50
Measures: Unusual privilege escalations
- Admin access: High visibility
- Privilege escalation: Penalty
- Privilege revocation: Trust boost
Scoring:
- Normal privileges: 100
- Escalation: 60-85
- Multiple escalations: 40-60
Measures: Success/failure of re-auth attempts
- Failed re-auth: Penalty per attempt
- Successful re-auth: Trust boost
- Multiple failures: High penalty
Scoring:
- No attempts: 100
- Successful re-auth: 90-100
- Failed attempts: 50-85
Measures: Known threat detection
- IP blacklist: Critical penalty
- Malware: Critical penalty
- Bot detection: High penalty
- VPN usage: Moderate penalty
Scoring:
- No threats: 100
- Known threat: 0-40
Action: Full access granted
- No additional verification required
- Standard monitoring
- Re-score every 5 minutes
Action: Allow with enhanced logging
- Log all actions
- Periodic trust checks
- Re-score every 2 minutes
- Flag unusual patterns
Action: Challenge user identity
- Issue appropriate challenge type
- Allow limited access pending verification
- Re-score every 30 seconds
- Cancel pending challenges on improvement
Action: Kill session immediately
- Revoke all session tokens
- Block further requests
- Notify user and security team
- Require full re-authentication
- Purpose: Verify recognized device
- Friction: Minimal (1-click)
- Use case: Trust score 80-89
- Time: <10 seconds
- Purpose: Verify email access
- Friction: Low (click link)
- Use case: Trust score 70-85
- Time: <1 minute
- Purpose: Verify phone/email access
- Friction: Moderate (enter 6-digit code)
- Use case: Trust score 50-75
- Time: <30 seconds
- Purpose: Knowledge-based authentication
- Friction: Moderate (answer 2 questions)
- Use case: Trust score 55-70
- Time: <1 minute
- Purpose: Biometric verification
- Friction: Moderate-High (depends on device)
- Use case: Trust score 40-60
- Time: <15 seconds
- Purpose: Full re-authentication
- Friction: High (password + 2FA code)
- Use case: Trust score <50
- Time: <2 minutes
The system learns normal behavior for each user:
baseline_profile = {
primary_locations: [cities visited regularly],
usual_browsers: [typical user agents],
average_requests_per_minute: calculated baseline,
usual_active_hours: {start: 9, end: 18},
trusted_devices: [device fingerprints],
usual_endpoints: [frequently accessed paths],
}When False Positive Rate High (>10%):
- ✅ Relax thresholds by 15%
- ✅ Extend allowable deviations
- ✅ Prefer weaker challenges
- ✅ Increase challenge cooldown
When Real Attacks Detected (>2 critical events):
- ✅ Tighten thresholds by 20%
- ✅ Reduce deviation tolerance
- ✅ Prefer stronger challenges
- ✅ Increase monitoring frequency
Users can request temporary relaxation:
- TRAVELING: Relax geo context for N days
- DEVICE_CHANGE: Relax UA consistency for 48 hours
- KNOWN_VPN: Whitelist VPN usage
- TEMPORARY_RELAXATION: General 30% relaxation
1. Extract request context
├─ Endpoint & method
├─ IP address & geolocation
├─ User agent & device fingerprint
├─ Required privilege level
└─ Request timing
2. Check if trust should be re-scored
├─ Time since last score >threshold
├─ Confidence level is LOW
└─ Tier is CHALLENGED (frequent checks)
3. Collect behavioral signals
├─ Endpoint sensitivity
├─ Request cadence deviation
├─ Geographic drift/impossible travel
├─ User agent changes
├─ IP address changes
├─ Privilege transitions
├─ Device trust
└─ Known threats
4. Calculate new trust score
├─ Score each of 8 components
├─ Apply adaptive thresholds
├─ Calculate weighted composite
└─ Determine new enforcement tier
5. Handle tier transitions
├─ If downgraded → Issue challenge
├─ If TERMINATED → Kill session
└─ If upgraded → Cancel pending challenges
6. Return decision
├─ ALLOW (NORMAL)
├─ ALLOW_WITH_MONITORING (MONITORED)
├─ CHALLENGE_REQUIRED (CHALLENGED)
└─ SESSION_TERMINATED (TERMINATED)
# Get current session trust
GET /api/session-trust/current
# Returns: { trustScore, enforcementTier, action, detail }
# Trigger trust evaluation
POST /api/session-trust/evaluate
# Body: { endpoint, location, deviceFingerprint, context }
# Returns: { trustScore, enforcementTier, action, signals }
# Force trust re-scoring
POST /api/session-trust/rescore
# Returns: { trustScore, componentsUpdated }
# Get user trust metrics
GET /api/session-trust/metrics
# Returns: { activeSessions, averageTrustScore, anomalousCount }
# Get trust score history
GET /api/session-trust/history?limit=50&offset=0
# Returns: { data: [trust_scores], pagination }
# Terminate session
POST /api/session-trust/terminate
# Body: { reason }
# Returns: { success, sessionId, reason }# Record new signal
POST /api/session-trust/signals/record
# Body: { signalType, details, severity }
# Returns: { signal_id, anomalyScore, actionTaken }
# Get signals
GET /api/session-trust/signals?hoursBack=24&limit=100
# Returns: { data: [signals], pagination }
# Get specific signal
GET /api/session-trust/signals/:signalId
# Returns: { signal, explanation }
# Mark false positive
POST /api/session-trust/signals/:signalId/false-positive
# Returns: { success, policy_adjusted }
# Analyze signals
GET /api/session-trust/signals/analyze?hoursBack=24
# Returns: { signals, analysis: {anomalies, riskFactors} }# Get pending challenges
GET /api/session-trust/challenges/pending
# Returns: { data: [challenges] }
# Get challenge status
GET /api/session-trust/challenges/:challengeId
# Returns: { status, type, explanation, remaining_attempts }
# Respond to challenge
POST /api/session-trust/challenges/:challengeId/respond
# Body: { response, responseTimeMs }
# Returns: { success, remaining_attempts, friction }
# Cancel challenge
POST /api/session-trust/challenges/:challengeId/cancel
# Body: { reason }
# Returns: { success }
# Get challenge history
GET /api/session-trust/challenges/history?limit=50
# Returns: { data: [challenges], pagination }# Get user's policy
GET /api/session-trust/policy
# Returns: { policy, baselineProfile, componentThresholds }
# Update policy
POST /api/session-trust/policy/update
# Body: { componentThresholds, challengeStrategy, autoAdjustment }
# Returns: { policy }
# Update baseline
POST /api/session-trust/policy/baseline/update
# Returns: { success, dataPointsCollected }
# Train baseline model
POST /api/session-trust/policy/baseline/train
# Returns: { success, signalsAnalyzed }
# Get current sensitivity
GET /api/session-trust/policy/sensitivity
# Returns: { sensitivity, falsePositiveRate, recommendation }
# Get recommendations
GET /api/session-trust/policy/recommendations
# Returns: { recommendations[] }
# Add temporary exception
POST /api/session-trust/policy/exceptions
# Body: { exceptionType, durationDays, component }
# Returns: { exceptionId, validUntil }# Get dashboard data
GET /api/session-trust/monitoring/dashboard
# Returns: { overview, tierDistribution, recentSignals, sessions }
# Get analytics over time
GET /api/session-trust/monitoring/analytics?daysBack=7
# Returns: { trustScores[], signalsByType, challengesByType, successRate }// On every API request, middleware checks trust
const trustResult = await fetch('/api/session-trust/evaluate', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
endpoint: '/api/expenses',
location: { latitude: 40.7128, longitude: -74.0060 },
deviceFingerprint: 'abc123...',
})
});
const { trustScore, enforcementTier, action } = await trustResult.json();
if (action === 'CHALLENGE_REQUIRED') {
// Show challenge UI
redirectToChallenge();
} else if (action === 'SESSION_TERMINATED') {
// Session terminated
logout();
}// User receives challenge via email/in-app
// User enters OTP code
const response = await fetch(`/api/session-trust/challenges/${challengeId}/respond`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
response: otpCode,
responseTimeMs: 3200 // User took 3.2 seconds
})
});
const { success, remaining_attempts } = await response.json();
if (success) {
// Challenge passed, trust restored
continueSession();
} else {
// Challenge failed
showError(`${remaining_attempts} attempts remaining`);
}###Example 3: Adding Temporary Exception (User Traveling)
// User is traveling internationally for 7 days
const exception = await fetch('/api/session-trust/policy/exceptions', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
exceptionType: 'TRAVELING',
durationDays: 7,
component: 'geoContext' // Relax only geo scoring
})
});
const { exceptionId, validUntil } = await exception.json();
// Geo context penalties reduced by 30% for 7 days// Admin dashboard
const dashboard = await fetch('/api/session-trust/monitoring/dashboard');
const {
overview: { activeSessions, averageTrustScore, pendingChallenges },
tierDistribution,
recentSignals
} = await dashboard.json();
// Display:
// - 5 active sessions
// - Average trust: 87 (MONITORED)
// - 2 pending challenges
// - Tier distribution: 3 NORMAL, 2 MONITORED- Impossible Travel Detection: Prevents credential sharing across geographies
- Bot Detection: Request cadence anomaly detection
- Privilege Escalation Monitoring: Unauthorized access attempts
- Known Threat Integration: IP blacklist, malware, botnet detection
- Device Trust: Untrusted device penalties
- All signals stored with retention policies (30-90 days)
- User can mark false positives to improve accuracy
- Baseline learning requires user consent
- Geo location stored at city level (not precise coordinates)
- Average evaluation latency: <50ms per request
- Database queries optimized with indexes
- Async signal processing for non-critical paths
- Scheduled re-scoring (not on every request)
- Average trust score: Target >85
- Sessions in NORMAL tier: Target >80%
- Sessions TERMINATED: Target <2%
- Challenge success rate: Target >90%
- Average response time: Target <30 seconds
- Challenges per hour: Target <3 per user
- False positive rate: Target <5%
- User-reported false positives: Tracked
- Auto-adjustment frequency: Weekly/Monthly
- Trust evaluation latency: <50ms
- Signal collection latency: <20ms
- Database query time: <10ms
- MongoDB (for storing trust scores, signals, challenges)
- Redis (optional, for caching)
- Email service (for challenge delivery)
- Geolocation API (for geo context scoring)
# 1. Install dependencies
npm install geolib
# 2. Run database migrations
# Models auto-create collections on first use
# 3. Seed initial policies (optional)
# Create default policies for existing users
# 4. Start server
npm start
# 5. Verify API
curl http://localhost:3000/api/session-trust/current# Environment variables
# Trust scoring
TRUST_RESCORE_INTERVAL_MS=300000 # 5 minutes
TRUST_LOW_CONFIDENCE_INTERVAL_MS=60000 # 1 minute
TRUST_CHALLENGED_INTERVAL_MS=30000 # 30 seconds
# Challenge settings
CHALLENGE_EXPIRATION_MINUTES=15
CHALLENGE_MAX_ATTEMPTS=3
CHALLENGE_COOLDOWN_MINUTES=30
MAX_CHALLENGES_PER_HOUR=3
# Adaptive thresholds
AUTO_ADJUSTMENT_ENABLED=true
FALSE_POSITIVE_THRESHOLD=0.10 # 10%
RELAXATION_FACTOR=0.85 # Relax by 15%
TIGHTENING_FACTOR=1.20 # Tighten by 20%
# Baseline learning
BASELINE_LEARNING_PERIOD_DAYS=30
MIN_DATA_POINTS_FOR_BASELINE=10- Tracks trust score lifecycle for a session
- Components, weights, confidence level
- Tier transitions history
- Challenge tracking
- Individual behavioral signals
- Signal type, severity, trust impact
- Anomaly score, false positive flag
- Affected components
- User-specific threshold configuration
- Baseline profile (learned behavior)
- Component thresholds (sensitivity levels)
- Challenge strategy preferences
- False positive tracking
- Challenge lifecycle management
- Challenge type, strength, status
- User response tracking
- Friction metrics
- Monitor False Positive Rate: Keep below 5% to avoid user friction
- Review Terminated Sessions: Investigate all TERMINATED sessions
- Tune Thresholds: Adjust based on your threat landscape
- Use Temporary Exceptions: For legitimate anomalies (travel, device change)
- Call evaluate() on Every Protected Request: Continuous monitoring is key
- Handle CHALLENGE_REQUIRED Gracefully: Show user-friendly challenge UI
- Record Custom Signals: Use
/signals/recordfor app-specific signals - Log All Tier Transitions: For debugging and forensics
- Report False Positives: Help improve accuracy
- Add Temporary Exceptions: When traveling or changing devices
- Respond to Challenges Quickly: Fast responses (<2s) are rewarded
- Use Trusted Devices: Register devices for lower friction
Future enhancements can include:
- ML-based anomaly detection for request cadence
- Predictive trust scoring (anticipate drops)
- Automated baseline model training
- Collaborative filtering (user similarity)
- SIEM integration for threat intelligence
- EDR platform integration for device trust
- Identity providers for enhanced authentication
- Fraud detection services for risk scoring
Issue: Trust score drops unexpectedly
- Solution: Check recent signals with
/signals?hoursBack=1 - Common causes: Location change, UA change, unusual request rate
Issue: Too many challenges
- Solution: Check challenge rate with
/challenges/history - Fix: Adjust
maxChallengesPerHouror enable auto-adjustment
Issue: False positive rate high
- Solution: Mark signals as false positives, system will auto-adjust
- Manual fix: Use
/policy/exceptionsfor temporary relaxation
Issue: Session terminated incorrectly
- Solution: Review termination reason in trust score
- Prevention: Enable adaptive learning with more baseline data
| Criterion | Status | Evidence |
|---|---|---|
| ✅ Real-time trust evaluation | COMPLETE | evaluateSessionTrust() on every request |
| ✅ Streaming/periodic re-scoring | COMPLETE | Scheduled re-scoring every 30s-5min based on tier |
| ✅ 8 behavior/context signals | COMPLETE | All 8 components implemented |
| ✅ Dynamic enforcement tiers | COMPLETE | 4 tiers with automatic transitions |
| ✅ Anti-friction controls | COMPLETE | Adaptive thresholds + challenge throttling |
| ✅ Confidence-aware challenges | COMPLETE | Challenge type selection based on confidence |
| ✅ User baseline adaptation | COMPLETE | Baseline learning + auto-adjustment |
| ✅ False positive minimization | COMPLETE | False positive tracking + auto-relaxation |
Issue #852: Continuous Session Trust Re-Scoring
Status: ✅ COMPLETE
Framework: Production-ready with full API and documentation
Date: March 1, 2026
🎉 Real-time session trust evaluation is now live!