Account Takeover Prevention

Stop unauthorized access while speeding up logins for recognized users. Adapt authentication requirements in real-time based on device recognition and risk signals - require MFA only when it matters.

The Problem

Account takeover (ATO) is one of the most damaging forms of fraud. Attackers gain access to legitimate user accounts through stolen credentials, phishing, or credential stuffing - then drain funds, steal data, or make fraudulent purchases.

The challenge is twofold:

Attackers have valid credentials - Username and password checks pass
Legitimate users hate friction - Too much MFA drives customers away

Traditional approaches force a choice: either frustrate every user with constant verification, or leave accounts vulnerable to takeover.

Common Attack Vectors

Attack Type

Description

Scale

Credential Stuffing

Automated login attempts using leaked username/password pairs

Millions of attempts per day

Phishing

Tricking users into revealing credentials

Targeted attacks

Session Hijacking

Stealing active session tokens

Individual accounts

SIM Swapping

Taking over phone numbers to bypass SMS MFA

High-value targets

Brute Force

Guessing passwords through repeated attempts

Automated attacks

Password Spraying

Trying common passwords across many accounts

Enterprise targets

The Core Problem

Attacker has stolen credentials
Enters correct username + password
Traditional system says "Credentials valid" → Access granted

The credentials are correct. How do you know it's not the real user?

The Solution: Device-Based Recognition

Guardian Stack recognizes the device, not just the credentials. When the account owner logs in from their usual device, they sail through. When an attacker logs in with stolen credentials from a different device, additional verification is triggered.

How It Works

User enters login credentials
Guardian SDK silently collects device signals
Your backend fetches the Guardian event and checks:
- Is this a device the user has logged in from before?
- Is this a bot or automated browser?
- Is the user hiding behind a VPN/proxy?
- Does the location match the user's history?
Based on risk level → Allow, challenge with MFA, or block

The Result

Recognized device: Instant login, no friction
New device: Require email/SMS verification
Suspicious device: Require strong MFA or block
Bot/attacker: Block immediately

Implementation Guide

Install the Guardian JS SDK:

npm install @guardianstack/guardian-js

Initialize Guardian and call .get() during login:

import { loadAgent } from "@guardianstack/guardian-js";

// Initialize once when your app starts
const guardian = await loadAgent({
  siteKey: "YOUR_SITE_KEY",
});

async function handleLogin(email: string, password: string) {
  // 1. Get Guardian signals
  const response = await guardian.get();
  const requestId = response?.requestId;

  // 2. Submit login with Guardian requestId
  const result = await fetch("/api/login", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
      email,
      password,
      guardianRequestId: requestId,
    }),
  });

  return result.json();
}

Step 2: Backend - Adaptive Authentication

Install the Guardian Server SDK:

npm install @guardianstack/guardianjs-server

Create your login endpoint with risk-based authentication:

import {
  createGuardianClient,
  isBot,
  isVPN,
  isTampering,
  isIncognito,
  isVirtualized,
} from "@guardianstack/guardianjs-server";

const guardianClient = createGuardianClient({
  secret: process.env.GUARDIAN_SECRET_KEY!,
});

app.post("/api/login", async (req, res) => {
  const { email, password, guardianRequestId } = req.body;

  // 1. Verify credentials first
  const user = await verifyCredentials(email, password);
  if (!user) {
    return res.status(401).json({ error: "Invalid credentials" });
  }

  // 2. Fetch Guardian event
  const event = await guardianClient.getEvent(guardianRequestId);
  const visitorId = event.identification.visitorId;

  // 3. Check for automation (credential stuffing bots)
  if (isBot(event) || isTampering(event)) {
    await logSecurityEvent("bot_login_attempt", { email, visitorId });
    return res.status(403).json({ error: "Access denied" });
  }

  // 4. Check if this is a recognized device for this user
  const knownDevice = await db.userDevices.findFirst({
    where: {
      userId: user.id,
      visitorId,
      isVerified: true,
    },
  });

  if (knownDevice) {
    // Known device — allow immediate access
    await updateLastSeen(knownDevice.id);
    const token = generateSessionToken(user);
    return res.json({ success: true, token });
  }

  // 5. New device — assess risk level
  const riskLevel = assessLoginRisk(event, user);

  if (riskLevel === "high") {
    // Block suspicious attempts
    await logSecurityEvent("high_risk_login_blocked", { email, visitorId });
    return res.status(403).json({
      error: "Login blocked",
      message: "Please contact support",
    });
  }

  if (riskLevel === "medium") {
    // Require MFA for suspicious logins
    const challengeToken = await createMfaChallenge(user, visitorId);
    return res.status(202).json({
      requiresMfa: true,
      challengeToken,
      methods: ["sms", "email", "totp"],
    });
  }

  // Low risk new device — require light verification
  const challengeToken = await createMfaChallenge(user, visitorId);
  return res.status(202).json({
    requiresMfa: true,
    challengeToken,
    methods: ["email"],
    message: "New device detected. Please verify your identity.",
  });
});

Step 3: Risk Assessment Function

function assessLoginRisk(event: GuardianEvent, user: User): "low" | "medium" | "high" {
  // High-risk signals — block or require strong MFA
  if (isBot(event) || isTampering(event)) {
    return "high";
  }

  if (isVirtualized(event)) {
    return "high";
  }

  // Check velocity (credential stuffing indicator)
  const velocity = event.velocity;
  if (velocity?.["5m"] > 5 || velocity?.["1h"] > 20) {
    return "high";
  }

  // Medium-risk signals — require MFA
  if (isVPN(event) && event.vpn?.timezoneDifference > 4) {
    return "medium";
  }

  if (event.ipInfo?.is_datacenter) {
    return "medium";
  }

  // Geographic anomaly
  const deviceCountry = event.identification.location?.country_code;
  const userCountry = user.lastKnownCountry;
  if (deviceCountry && userCountry && deviceCountry !== userCountry) {
    return "medium";
  }

  // Low-risk signals
  if (isVPN(event) || isIncognito(event)) {
    return "low"; // Still require verification for new device
  }

  return "low";
}

Step 4: MFA Verification & Device Registration

app.post("/api/verify-mfa", async (req, res) => {
  const { challengeToken, code, rememberDevice } = req.body;

  // 1. Verify the MFA code
  const challenge = await getMfaChallenge(challengeToken);
  if (!challenge || !verifyMfaCode(challenge, code)) {
    return res.status(401).json({ error: "Invalid code" });
  }

  const user = await db.users.findUnique({ where: { id: challenge.userId } });

  // 2. If user chose to remember this device, save it
  if (rememberDevice) {
    await db.userDevices.upsert({
      where: {
        userId_visitorId: {
          userId: user.id,
          visitorId: challenge.visitorId,
        },
      },
      create: {
        userId: user.id,
        visitorId: challenge.visitorId,
        isVerified: true,
        deviceName: challenge.deviceInfo?.browser || "Unknown device",
        firstSeenAt: new Date(),
        lastSeenAt: new Date(),
      },
      update: {
        isVerified: true,
        lastSeenAt: new Date(),
      },
    });
  }

  // 3. Complete login
  const token = generateSessionToken(user);
  await clearMfaChallenge(challengeToken);

  return res.json({
    success: true,
    token,
    deviceRemembered: rememberDevice,
  });
});

Real-World Examples

Credential Stuffing Prevention

Scenario: Attackers use bots to test millions of stolen username/password combinations.

app.post("/api/login", async (req, res) => {
  const event = await guardianClient.getEvent(req.body.guardianRequestId);
  const visitorId = event.identification.visitorId;

  // Check for bot signals
  if (isBot(event)) {
    // Don't reveal detection — just fail silently
    await logSecurityEvent("credential_stuffing_blocked", { visitorId });
    
    // Add artificial delay to slow down attacks
    await sleep(2000);
    
    return res.status(401).json({ error: "Invalid credentials" });
  }

  // Check login velocity for this device
  const velocity = event.velocity;
  if (velocity["5m"] > 10 || velocity["1h"] > 50) {
    await logSecurityEvent("high_velocity_login", { visitorId, velocity });
    
    return res.status(429).json({
      error: "Too many attempts",
      retryAfter: 3600,
    });
  }

  // Check failed login attempts from this device
  const recentFailures = await db.loginAttempts.count({
    where: {
      visitorId,
      success: false,
      createdAt: { gte: subMinutes(new Date(), 15) },
    },
  });

  if (recentFailures >= 5) {
    return res.status(429).json({
      error: "Too many failed attempts",
      retryAfter: 900,
    });
  }

  // Continue with normal login...
});

Impossible Travel Detection

Scenario: User logs in from New York, then 10 minutes later from Tokyo — physically impossible.

app.post("/api/login", async (req, res) => {
  const event = await guardianClient.getEvent(req.body.guardianRequestId);
  const user = await verifyCredentials(req.body.email, req.body.password);
  
  if (!user) {
    return res.status(401).json({ error: "Invalid credentials" });
  }

  const currentLocation = event.identification.location;
  const lastLogin = await db.loginHistory.findFirst({
    where: { userId: user.id },
    orderBy: { createdAt: "desc" },
  });

  if (lastLogin && currentLocation) {
    const timeSinceLastLogin = Date.now() - lastLogin.createdAt.getTime();
    const hoursSinceLastLogin = timeSinceLastLogin / (1000 * 60 * 60);

    const distance = calculateDistance(
      lastLogin.latitude,
      lastLogin.longitude,
      currentLocation.latitude,
      currentLocation.longitude
    );

    // Impossible if distance > 500 miles per hour
    const requiredHours = distance / 500;
    
    if (hoursSinceLastLogin < requiredHours && !isVPN(event)) {
      await logSecurityEvent("impossible_travel", {
        userId: user.id,
        from: lastLogin.city,
        to: currentLocation.city,
      });

      return res.status(202).json({
        requiresMfa: true,
        reason: "unusual_location",
        message: "We noticed a login from a new location. Please verify your identity.",
      });
    }
  }

  // Continue with login...
});

Session Anomaly Detection

Scenario: Active session suddenly changes device fingerprint — possible session hijacking.

async function validateSession(req, res, next) {
  const sessionToken = req.headers.authorization?.split(" ")[1];
  const guardianRequestId = req.headers["x-guardian-request-id"];

  const session = await getSession(sessionToken);
  if (!session) {
    return res.status(401).json({ error: "Invalid session" });
  }

  if (guardianRequestId) {
    const event = await guardianClient.getEvent(guardianRequestId);
    const currentVisitorId = event.identification.visitorId;

    if (session.visitorId && session.visitorId !== currentVisitorId) {
      // Device changed mid-session — possible hijacking
      await logSecurityEvent("session_device_mismatch", {
        userId: session.userId,
        originalDevice: session.visitorId,
        currentDevice: currentVisitorId,
      });

      await invalidateSession(sessionToken);
      
      return res.status(401).json({
        error: "Session expired",
        message: "Please log in again",
      });
    }
  }

  req.user = session.user;
  next();
}

Adaptive MFA for Sensitive Actions

Scenario: Normal browsing needs no MFA. Changing password or transferring funds requires verification even on known devices.

async function requireElevatedAuth(req, res, next) {
  const guardianRequestId = req.headers["x-guardian-request-id"];
  const event = await guardianClient.getEvent(guardianRequestId);
  const visitorId = event.identification.visitorId;

  // Check if user recently completed MFA
  const recentMfa = await db.mfaCompletions.findFirst({
    where: {
      userId: req.user.id,
      visitorId,
      createdAt: { gte: subMinutes(new Date(), 10) },
    },
  });

  if (recentMfa) {
    return next();
  }

  const riskLevel = assessLoginRisk(event, req.user);

  if (riskLevel === "high") {
    return res.status(202).json({
      requiresMfa: true,
      methods: ["totp"],
      reason: "sensitive_action",
    });
  }

  return res.status(202).json({
    requiresMfa: true,
    methods: ["totp", "email"],
    reason: "sensitive_action",
  });
}

app.post("/api/change-password", requireElevatedAuth, changePasswordHandler);
app.post("/api/transfer-funds", requireElevatedAuth, transferFundsHandler);

Database Schema Example

-- Track devices per user
CREATE TABLE user_devices (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id UUID REFERENCES users(id) ON DELETE CASCADE,
  visitor_id VARCHAR(255) NOT NULL,
  is_verified BOOLEAN DEFAULT false,
  device_name VARCHAR(255),
  first_seen_at TIMESTAMP DEFAULT NOW(),
  last_seen_at TIMESTAMP DEFAULT NOW(),
  
  UNIQUE(user_id, visitor_id)
);

CREATE INDEX idx_user_devices_lookup 
  ON user_devices(user_id, visitor_id);

-- Login history for anomaly detection
CREATE TABLE login_history (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id UUID REFERENCES users(id),
  visitor_id VARCHAR(255),
  ip_address INET,
  country VARCHAR(2),
  city VARCHAR(100),
  latitude DECIMAL(10, 8),
  longitude DECIMAL(11, 8),
  success BOOLEAN,
  risk_level VARCHAR(20),
  created_at TIMESTAMP DEFAULT NOW()
);

-- MFA challenges
CREATE TABLE mfa_challenges (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id UUID REFERENCES users(id),
  visitor_id VARCHAR(255),
  challenge_token VARCHAR(255) UNIQUE,
  method VARCHAR(50),
  code_hash VARCHAR(255),
  expires_at TIMESTAMP,
  completed_at TIMESTAMP,
  created_at TIMESTAMP DEFAULT NOW()
);

-- Security events for monitoring
CREATE TABLE security_events (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  event_type VARCHAR(100) NOT NULL,
  user_id UUID,
  visitor_id VARCHAR(255),
  ip_address INET,
  metadata JSONB,
  created_at TIMESTAMP DEFAULT NOW()
);

User Experience: Device Management

Let users see and manage their recognized devices:

app.get("/api/my-devices", async (req, res) => {
  const devices = await db.userDevices.findMany({
    where: { userId: req.user.id },
    orderBy: { lastSeenAt: "desc" },
    select: {
      id: true,
      deviceName: true,
      isVerified: true,
      firstSeenAt: true,
      lastSeenAt: true,
    },
  });

  return res.json({ devices });
});

app.delete("/api/my-devices/:deviceId", async (req, res) => {
  await db.userDevices.deleteMany({
    where: {
      id: req.params.deviceId,
      userId: req.user.id,
    },
  });

  return res.json({ success: true });
});

app.post("/api/logout-all-devices", requireElevatedAuth, async (req, res) => {
  await db.userDevices.updateMany({
    where: { userId: req.user.id },
    data: { isVerified: false },
  });

  await db.sessions.deleteMany({
    where: { userId: req.user.id },
  });

  return res.json({ success: true });
});

Best Practices

Do

Remember verified devices to reduce friction for legitimate users
Require MFA on new devices even with correct credentials
Use risk-based authentication — adapt requirements to threat level
Log all login attempts with device fingerprints for forensics
Let users manage devices — view and revoke recognized devices
Monitor for anomalies — impossible travel, device changes, velocity spikes

Don't

Don't rely solely on passwords — they're often compromised
Don't trust SMS alone — vulnerable to SIM swapping
Don't block VPNs outright — many legitimate users use them
Don't reveal why login failed — helps attackers refine attacks
Don't skip MFA for "trusted" IPs — IPs are easily spoofed

Conclusion

Account takeover attacks succeed because they have valid credentials. Traditional systems can't distinguish between the real user and an attacker with stolen passwords.

Guardian Stack solves this by adding a device layer to authentication. The result:

Recognized users log in instantly without friction
New devices require verification — even with correct password
Suspicious devices are blocked or challenged with strong MFA
Attackers can't bypass protection just by having credentials

The key insight: Passwords can be stolen. Devices can't be cloned. Make the device part of your authentication.

Get Started: Sign up for Guardian Stack and protect your users today.

PreviousPayment Fraud Prevention NextReturning User Experience

Last updated 1 month ago

Was this helpful?

Good evening

hashtagThe Problem

hashtagCommon Attack Vectors

hashtagThe Core Problem

hashtagThe Solution: Device-Based Recognition

hashtagImplementation Guide

hashtagStep 1: Frontend - Capture Device Signals at Login

hashtagStep 2: Backend - Adaptive Authentication

hashtagStep 3: Risk Assessment Function

hashtagStep 4: MFA Verification & Device Registration

hashtagReal-World Examples

hashtagCredential Stuffing Prevention

hashtagImpossible Travel Detection

hashtagSession Anomaly Detection

hashtagAdaptive MFA for Sensitive Actions

hashtagDatabase Schema Example

hashtagUser Experience: Device Management

hashtagBest Practices

hashtagDo

hashtagDon't

hashtagConclusion

The Problem

Common Attack Vectors

The Core Problem

The Solution: Device-Based Recognition

Implementation Guide

Step 1: Frontend - Capture Device Signals at Login

Step 2: Backend - Adaptive Authentication

Step 3: Risk Assessment Function

Step 4: MFA Verification & Device Registration

Real-World Examples

Credential Stuffing Prevention

Impossible Travel Detection

Session Anomaly Detection

Adaptive MFA for Sensitive Actions

Database Schema Example

User Experience: Device Management

Best Practices

Do

Don't

Conclusion