Table of Contents
Last updated: August 21, 2025
Executive Summary
This report assesses Descope's drag & drop authentication platform against the Anti-Financial Account Scamming Act (AFASA) requirements, specifically BSP Circular No. 1213, Series of 2025, which mandates Information Technology Risk Management standards for financial institutions in the Philippines.
Authentication
AFASA Requirement | Descope Capability | Source |
|---|---|---|
Multi-Factor Authentication (MFA) - 2+ verification factors | Full MFA support via Flows with knowledge (passwords, PINs), possession (SMS OTP, Email OTP, TOTP, hardware tokens), and inherence (passkeys, biometrics) factors | BSP 1213 Sec 148, AFASA Sec 3(h) |
Biometric Authentication | FIDO2/WebAuthn certified; supports Touch ID, Face ID, Windows Hello, passkeys with fingerprint/facial recognition | BSP 1213 Sec 148(e)(vi)(aa) |
Behavioral Biometrics | Via Fingerprint and Sardine connectors for behavioral risk scoring; typing patterns and device movement analysis | BSP 1213 Sec 148(e)(vi)(bb) |
Passwordless Authentication (FIDO) | Passkeys (FIDO2), magic links, OTP, WhatsApp authentication, social login; hardware tokens (YubiKey) | BSP 1213 Sec 148(e)(vi)(cc) |
Adaptive Authentication | Real-time risk scoring (0-1), context-aware flows based on device trust, location, behavior, risk thresholds | BSP 1213 Sec 148(e)(vi)(dd) |
Limit Interceptable Authentication (SMS/Email OTP) | Supports phishing-resistant alternatives: passkeys, biometrics, hardware tokens, TOTP authenticator apps | BSP 1213 Sec 148(e)(vi) |
Transaction Integrity Checks | Cryptographically signed JWTs; secure httpOnly cookies with sameSite=strict; server-side validation | BSP 1213 Sec 148(e)(iv) |
Identity Management
AFASA Requirement | Descope Capability | Source |
|---|---|---|
Account Onboarding Controls | Customizable signup flows with identity verification; fraud connectors (Fingerprint, Forter, Sardine) for onboarding risk assessment | BSP 1213 Sec 148(i) |
Account Linking Controls | Controlled linking via OAuth/OIDC; user management APIs for account associations | BSP 1213 Sec 148(i) |
Key Account Information Change Monitoring | UserModified audit events; flow-based detection of email/phone/device changes; webhook notifications | BSP 1213 Sec 148(d)(ii), (e)(i), (f) |
Fictitious Account Prevention | Identity verification connectors (Incode, Amazon Rekognition); fraud detection during signup | AFASA Sec 4(a)(2), Sec 5(c) |
Sensitive Information Protection | Biometric data stored locally on device (FIDO2); encrypted data at rest/transit; zero-knowledge architecture | AFASA Sec 3(i) |
Session Management
AFASA Requirement | Descope Capability | Source |
|---|---|---|
Secure Session Creation, Maintenance & Termination | JWTs signed with private key; configurable timeouts (Session, Refresh, Step Up tokens); logout/logoutAll functions; session inactivity timeout | BSP 1213 Sec 148(ff) |
Session Activity Monitoring | Audit trail logs all session events; session validation on server side | BSP 1213 Sec 148(ff) |
Rate Limiting | Built-in rate limiting per IP; configurable in Project Settings; brute-force prevention | BSP 1213 Sec 148(aa), (e)(iii) |
Device Authentication and Trust
AFASA Requirement | Descope Capability | Source |
|---|---|---|
Device Fingerprinting | Built-in J4A fingerprinting; Fingerprint connector with 100+ signals; unique visitor ID generation | BSP 1213 Sec 148(l), (e)(v) |
Device Spoofing Prevention | Bot detection via Cloudflare; headless browser detection; emulator identification; VM detection | BSP 1213 Sec 148(e)(v) |
Unsecured Device Restriction (rooted/jailbroken/emulators) | Fingerprint connector detects rooted/jailbroken devices, emulators; flow-based blocking | BSP 1213 Sec 148(e)(ii) |
Trusted Device Management | riskInfo.trustedDevice for device recognition; single active session management; RevokeOtherSessions | BSP 1213 Sec 148(h)(ii) |
Device Info Logging | Logs device fingerprint, IP address, ASN, browser, OS, authentication method in audit trail | BSP 1213 Sec 148(j)(viii), (j)(xi) |
Access Control and Authorization
AFASA Requirement | Descope Capability | Source |
|---|---|---|
Access/Permission Revocation | RevokeOtherSessions; user management API for access control; single active session enforcement | BSP 1213 Sec 148(h)(ii) |
Geolocation-Based Access Control | riskInfo.impossibleTravel; ASN-based rules in Flows; location-triggered step-up auth | BSP 1213 Sec 148(d)(iii) |
Blacklist-Based Access Control | AbuseIPDB connector for IP reputation; flow conditions for blocking flagged entities | BSP 1213 Sec 148(d)(iv) |
Script/Automation Prohibition | Bot detection, rate limiting, behavioral analysis, CAPTCHA (reCAPTCHA, Turnstile) | BSP 1213 Sec 148(e)(iii) |
Fraud Management System (FMS)
AFASA Requirement | Descope Capability | Source |
|---|---|---|
Real-time Fraud Monitoring & Detection | Built-in riskInfo signals; real-time risk scoring (0-1); fraud connectors (Fingerprint, Forter, Sardine, reCAPTCHA) | BSP 1213 Sec 148(d) |
Transaction Velocity Checks | Rate limiting per IP; fraud connector velocity analysis; flow-based velocity rules | BSP 1213 Sec 148(d)(i) |
Behavioral Anomaly Detection | Risk scoring based on behavioral patterns; Sardine and Forter connectors for behavioral analysis; ML-based detection | BSP 1213 Sec 148(d)(v) |
Bot and Automation Detection
AFASA Requirement | Descope Capability | Source |
|---|---|---|
Bot Detection | riskInfo.botDetected via Cloudflare; reCAPTCHA Enterprise; Fingerprint connector; Turnstile | BSP 1213 Sec 148(c), (e)(iii) |
Browser Automation & Emulator Detection | Fingerprint connector detects headless browsers, automation tools, emulators with 20+ Smart Signals | BSP 1213 Sec 148(d), (e)(iii), (n) |
Audit and Logging
AFASA Requirement | Descope Capability | Source |
|---|---|---|
Comprehensive Authentication Logging | Logs auth method, password changes, profile updates, device info, IP, ASN, browser, OS, risk scores, J4A fingerprint | BSP 1213 Sec 148(j)(viii), (ix), (x), (xi) |
Log Retention (5 years) & Protection | Audit streaming for external storage; Management API for log export; tamper-evident logging; secure storage | BSP 1213 Sec 148(j) |
Multi-Factor Authentication
AFASA Requirement
Section 6 (BSP Circular 1213, Section 148): Institutions must implement Multi-Factor Authentication (MFA) requiring two or more verification factors to gain access to resources.
Descope Capabilities
Full MFA Support
Descope provides comprehensive MFA implementation through visual workflows
Supports multiple authentication factors across all three categories:
Knowledge factors: Passwords, PINs
Possession factors: SMS OTP, Email OTP, Authenticator apps (TOTP), Hardware tokens
Inherence factors: Biometric authentication (Passkeys - fingerprint, face recognition via FIDO2/WebAuthn)
Implementation Methods
No-code workflow builder (Descope Flows)
Client SDKs for mobile and web
Backend SDKs for server-side validation
REST APIs for custom implementations
Strong Authentication Mechanisms
AFASA Requirement
BSP Circular 1213, Section 148(e)(vi): BSFIs engaged in complex electronic products and services must adopt strong authentication mechanisms including:
Biometric authentication
Behavioral biometrics
Passwordless authentication (FIDO)
Adaptive authentication
Descope Capabilities
1. Biometric Authentication (FIDO2/WebAuthn Certified)
Platform authenticators (Touch ID, Face ID, Windows Hello)
Roaming authenticators (security keys, cross-device authentication)
Passkeys support
2. Passwordless Authentication
Magic links (email/SMS)
Passkeys (FIDO2 standard)
One-Time Passwords (OTP)
WhatsApp authentication (n-OTP)
Social login (Google/Facebook etc)
3. Adaptive Authentication
Real-time risk scoring (0-1 scale)
Context-aware authentication flows
Dynamic authentication adjustments based on:
Device trust
Location/geolocation
Behavioral patterns
Risk score thresholds
Access patterns
4. Device-Based Authentication
Device fingerprinting
Trusted device recognition
Hardware token support (YubiKey, etc.)
Fraud Management Systems (FMS)
AFASA Requirement
BSP Circular 1213, Section 148(d): Implement automated and real-time fraud monitoring and detection systems to identify and block disputed, suspicious, or fraudulent online transactions.
Descope Capabilities
Built-In Risk Detection
Bot Detection (
riskInfo.botDetected)Network-level analysis via Cloudflare
Detects bot-like behavior during authentication attempts
Risk Scoring (
riskInfo.riskScore)Unified measure of authentication risk (0-1)
Combines network-level analysis via Cloudflare and connector signals (reCAPTCHA, Turnstile, Telesign, etc.)
Takes the maximum risk level from all sources for a conservative final score
Impossible Travel Detection (
riskInfo.impossibleTravel)Flags logins from geographically implausible locations
Geolocation and timestamp analysis
No special requirements or Fingerprint Assess action needed
Trusted Device Recognition (
riskInfo.trustedDevice)First-party cookie-based device tracking
Recognizes previously verified devices to reduce authentication friction
Enhanced Fraud Detection (via Connectors)
Fingerprint: Advanced device fingerprinting, bot detection, and VPN detection
Forter: Fraud and behavioral risk scoring for account protection
reCAPTCHA Enterprise: Bot protection and risk assessment
Telesign: Phone number and risk intelligence
Sardine: Behavioral risk scoring and fraud detection
AbuseIPDB: IP reputation-based scoring (0-100 scale)
Turnstile: Alternative CAPTCHA solution
Transaction Monitoring Capabilities
Real-time assessment during authentication flows
Conditional flow branching based on risk signals
Integration with third-party fraud platforms
Audit trail with comprehensive logging
Device Fingerprinting
AFASA Requirement
BSP Circular 1213, Section 148(e)(v): Adoption of strong device fingerprinting and mechanisms to prevent spoofing of device identity.
Descope Capabilities
Built-In Device Fingerprinting
Built-in device fingerprinting and risk detection
J4A fingerprinting for bot and suspicious activity detection
Risk signals available through riskInfo context object
Advanced Capabilities (via Fingerprint Connector)
Collects over 100 signals to generate unique visitor ID
Persistent identification across incognito sessions, deleted cookies, and VPNs
Detects automation and headless browsers
20+ Smart Signals including virtual machine use and geolocation spoofing
Bot scoring based on behavior, emulation signals, and IP data
Anti-Spoofing Measures
Bot detection via network-level analysis (Cloudflare)
Device fingerprinting generates risk signals like botDetected
Real-time risk scoring (0-1 scale) from multiple sources
Detection of spoofed environments and automation tools
Session Management
AFASA Requirement
BSP Circular 1213, Section 148(ff): Mechanisms for securely handling creation, maintenance, and termination of user sessions including authentication, session identifiers, monitoring, and proper termination.
Descope Capabilities
Session Management Features
Secure session token generation using JWTs signed with private key
Configurable timeouts: Session Token, Refresh Token, Step Up Token, and Access Key Session Token
Session inactivity timeout automatically expires idle sessions
Refresh token mechanism exchanges tokens for new session tokens
Session termination via logout and logoutAll functions
Single active session feature with RevokeOtherSessions option
Session Security
Cryptographically signed JWTs validated with public key
Configurable token expiration times
Refresh token rotation
Secure httpOnly cookies with sameSite=strict and secure flags
Session tokens managed in cookies or response body
Session Control
Immediate session termination capabilities
Single active session enforcement terminates previous sessions
Session validation on server side
Transaction Velocity Checks
AFASA Requirement
BSP Circular 1213, Section 148(d)(i): Monitor frequency of transactions within specific timeframes to detect unusual velocity patterns.
Descope Capabilities
Rate Limiting
Configurable request frequency restrictions per IP address
Brute-force attack prevention
Rate limits applied to authentication attempts
Implementation Methods
Built-in rate limiting controls in Project Settings
Flow-based conditional logic for custom rules
Fraud detection connectors (Fingerprint, Forter, Sardine, Telesign, etc.) for advanced risk assessment
Custom integration via HTTP and webhook connectors
Bot Detection and Prevention
AFASA Requirement
BSP Circular 1213, Section 148(e)(iii): Prohibition of unauthorized scripts or automation tools through behavioral analysis, rate limiting, session management, and bot detection.
Descope Capabilities
Built-In Bot Detection
Bot Detection (riskInfo.botDetected)
Network-level analysis via Cloudflare
Detects bot-like behavior during authentication attempts
Enhanced Bot Prevention (via Connectors)
reCAPTCHA Enterprise: Advanced bot scoring and challenge systems
Fingerprint: Headless browser detection, emulator identification
Turnstile: Cloudflare's privacy-preserving CAPTCHA
Prevention Mechanisms
CAPTCHA challenges when bots detected
Automatic blocking of high-risk requests
Step-up authentication for suspicious activity
Real-time bot scoring
Authentication Interceptability Protection
AFASA Requirement
BSP Circular 1213, Section 148(e)(vi): Limitation on interceptable authentication mechanisms (e.g., SMS OTPs, email OTPs) due to social engineering attack risks.
Descope Capabilities
Non-Interceptable Methods (Phishing-Resistant MFA)
Passkeys (FIDO2): Unphishable, device-bound authentication
Biometrics: Local device verification, cannot be intercepted
Hardware tokens: Physical possession required
Authenticator apps (TOTP): Device-based, not transmitted
Geolocation Monitoring
AFASA Requirement
BSP Circular 1213, Section 148(p): Process of tracking the geographic or physical location of electronic devices used by customers.
Descope Capabilities
Location-Based Controls
ASN-based access control rules in Flows
Network-based authentication policies
Location-triggered step-up authentication
Conditional branching based on
riskInfo.impossibleTravel
Impossible Travel Detection
riskInfo.impossibleTravelautomatically flags geographically implausible loginsTime and distance analysis between authentication attempts
Audit and Logging
AFASA Requirement
BSP Circular 1213, Section 148(j): Collect relevant transaction logs, protect against unauthorized manipulation, retain for at least 5 years.
Descope Capabilities
Comprehensive Audit Trail
All authentication events logged (login success/failure, MFA, session events)
Login attempts: LoginSucceed, LoginFailed, LoginExceedMaxAttempts
Account changes: UserCreated, UserModified, UserDeleted
Device registration and access key events
Risk assessment results and bot detection
Configuration changes (roles, permissions, settings)
Log Information Captured
User identification (User ID, Actor ID)
Timestamp (date and time)
Authentication method used
Device information (Desktop, Mobile, Tablet, Bot)
IP address and ASN (network origin)
Browser and operating system
Geographic location
Risk scores and J4A fingerprinting results
Session identifiers
Failed login reasons in error_message field
Security Features
Searchable audit logs via Management API with filtering
Export capabilities for long-term retention via audit streaming
Other Key Aspects
Authentication & Authorization
OAuth 2.0 / OIDC Federation
OIDC authentication layer built on OAuth 2.0
JWT tokens for secure identity exchange
Supports SSO and identity federation
SAML for Enterprise SSO
SAML 2.0 support for enterprise authentication
XML-based assertions for secure data exchange
Acts as both Identity Provider and Service Provider
JWT Token-Based Authorization
Session JWTs issued after successful authentication
ID tokens contain user identity claims
Access tokens for API authorization
Role-Based Access Control (RBAC)
Fine-grained permissions management
Tenant-level role assignments
Relationship-Based Access Control (ReBAC) support
User Management
SCIM for User Provisioning
SCIM 2.0 automated provisioning
Create, update, and deactivate users and groups
JIT (Just-In-Time) provisioning via SSO
Bulk User Operations
Bulk user creation and modification
Automated user lifecycle management
