Forgerock AM Node v1.1


PREVIEW RELEASE of an authentication node for ForgeRock's Identity Platform that protects the login process with TickStream.KeyID. With TickStream.KeyID a user's typing behavior can be passively or actively enrolled and evaluated to provide an advanced second factor behavioral biometric.

For evaluation licenses please contact


The code in this repository has binary dependencies that live in the ForgeRock maven repository. Maven can be configured to authenticate to this repository by following the following ForgeRock Knowledge Base Article.


Copy the .jar file from the ../target directory into the ../webapps/openam/WEB-INF/lib directory where AM is deployed. Restart the AM service to load the TickStream.KeyID authentication tree node. The TickStream.KeyID components will then be available for use in the Authenticaton Tree designer.



To protect logins with TickStream.KeyID you must configure the Authentication Tree to use the TickStream.KeyID Login Form and TickStream.KeyID nodes.

The TickStream.KeyID Login Form node captures typing behavior metrics using JavaScript and stores it in a shared state variable. You may customize the path to the TickStream.KeyID JavaScript library.

The TickStream.KeyID node evaluates the login data captured by the login form. Typically the node is placed after the password has been authenticated. You must provide the webservice URL and authentication key for your TickStream.KeyID server. There are several additional configuration operations that let you customize the login process.

Option Description
Connection Timeout TickStream.KeyID web service connection timeout in milliseconds
Reset Profile Reset TickStream.KeyID profile after verification
Validation / Enrollment
Passive / None Always allow the user access, do not enroll the profile
Passive / Passive Always allow the user access, passively enroll the profile
Active / None Gate user access, do not enroll the profile
Active / Passive Gate user access, passively enroll profile with each subsequent login
Active / Active Gate user access, actively enroll profile until it is complete
Custom Threshold Provide a custom threshold different than the TickStream.KeyID server setting
Threshold Confidence Custom threshold confidence value (integer)
Threshold Fidelity Custom threshold fidelity value (integer)
Grant On Error Allow access if there is an error communicating with the TickStream.KeyID web service


Passwords used for enrollment should be at least 10 characters. With the TickStream.KeyID Auth Tree Node you may configure enrollment to be 'active' or 'passive'. In the active scenario shown above, a user will be prompted to enter their password repeatedly until the behavior profile is complete. In a passive scenario, the user profile will be built over subsequent logins.

Password Resets

When a user's password is reset, the user's TickStream.KeyID profile must also be reset using the TickStream.KeyID web service. Because the password reset process is environment and deployment specific, we only provide a simple scenario using authentication trees for demonstration purposes.

You can construct an password reset authentication tree using TickStream.KeyID components and the ForgeRock Set Profile Property Authentication Node. Construct an authentication tree as shown in the above diagram. Configure the TickStream.KeyID node normally and enable the Reset Profile option and disable Profile and Passive enrollment. Configure the Set Profile Property node to have a key of userPassword and a value of password.

When accessing the authentication tree, the user will be prompted to provide their username and password, the password and typing behavior will be validated, the user prompted for a new password and the KeyID profile and user password changed.


Errors, warnings and messages are logged in the openam/openam/debug/KeyIDNode file. You may configure the logging level in AM by going to the openam/Debug.jsp page. Only errors are logged when the AM service is started by default.