Login  
Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Contents

Adaptive Authentication

Importance of Adaptive Authentication for Admin


Configuring Adaptive Authentication (MFA) for users is crucial due to the elevated privileges they have. Specific users have access to certain levels of sensitive systems and data, making them targets for malicious actors.

Admins can dynamically adjust the authentication requirements based on risk factors like location, device, and behavior by implementing adaptive MFA. This ensures that even if an attacker gains access to admin credentials, they still face significant hurdles, reducing the likelihood of a successful breach.

Moreover, while balancing security and user experience is vital for regular users, the security of admin accounts should take precedence. Adaptive MFA allows for stricter authentication policies for administrators without impacting the daily workflow of typical users.

Adaptive MFA Configuration

Login to the Self-Service Console and navigate to the Adaptive Authentication section from the side menu.

Click on the Add Policy button on the upper right.

    adaptive authentication add policy

  • There are six different sections you can configure in an Adaptive Authentication Policy:
    • IP Configuration
    • Device Configuration
    • Location Configuration
    • Time of Access Configuration
    • Action for Behavior Change
    • Email Alerts and Custom Error Message
    adaptive authentication add policy

1. IP Configuration

In IP restriction, admin configures a list of IP addresses to allow or deny access on and when a user tries to log into any of the applications configured with adaptive authentication, his IP address is checked against the configured IP list and based on that the action is decided as per the configuration (.i.e. Allow, Deny or Challenge).

How to Configure IP Address:

  • On the Add Policy tab, select the IP Configuration and click on the Edit Button.
    • Adaptive Authentication: Add Policy

  • Select Add IP if the User's IP Address is not in the configured list.
  • Specify the IP Address that you want to whitelist. For the IP Range other than the whitelisted one, you can select the above setting to reflect.
  • Choose either allow or deny by selecting the radio button next to it.
  • If a user tries to login with the whitelisted IP address, they will always be allowed access.
  • We support IP address range in three formats i.e., IPv4, IPv4 CIDR, and IPv6 CIDR. You can choose whichever is suitable for you from the dropdown menu.
  • You can add multiple IP and IP ranges by clicking on the + button.
    • Adaptive Authentication: IP Configuration

  • Once the changes are made, scroll down to the end and click on Save.

2. Device Configuration

In device restriction, admin allows end-users to add a fixed number of devices as Trusted devices for their account. Once a device is registered for a user, then that user will be allowed to login without any restriction.

How to configure Device-based Configuration:

  • On the Add Policy tab, navigate to the Device Configuration section and enable the Edit Users to Register Device option.
    • Adaptive Authentication: Add Policy

  • In the input field next to Number of Device Registrations Allowed, enter the no. of devices you want your end-users to register.(2-3 devices are recommended.)
  • You can block logins from mobile devices, meaning all login attempts from mobile devices will be declined.
    • Adaptive Authentication: Device Restriction

  • Scroll down to the bottom of the page and click on Save.

3. Location Configuration

In location restrictions, admin configures a list of locations where they want to allow end-users to either login or deny based on the condition set by the admin. When a user tries to login with adaptive authentication enabled, their Location Attributes, such as (Latitude, Longitude, and Country Code) are verified against the Location list configured by the admin. Based on this user will be either allowed, challenged or denied.

How to configure Location-based Configuration:

  • On the Add Policy tab, navigate to the Location Configuration section
    • adaptive authentication add policy

  • In the Enter Location input field, enter the Location Name and then select the correct location from the search results using the UP & DOWN navigation keys.
  • Add the In and Around Distance for your location in the next input field. This will be the total area in and around the location we have configured using the Latitude and Longitude points.
  • In the next select list, select your distance parameter as either KMS(KiloMeters) or Miles. For each Location you add, you can choose to either allow or deny it by enabling or disabling the switch button next to it.
  • You can click on the + button to add more than one location and then follow steps 2-4 as mentioned above.
    • Adaptive Authentication: Location Configuration

  • Save the changes you made by scrolling down at the bottom of the page.

4. Time of Access Configuration

In time restriction, admin configures a time zone with Start and End Times for that timezone, and users are either allowed, denied, or challenged based on the condition in the policy. When an end-user tries to login with the adaptive authentication enabled, their time zone-related attributes such as Time-Zone and Current System Time, are verified against the list configured by the admin, and based on the configuration, the user is either allowed, denied, or challenged.

How to configure Time-based Configuration:

  • On the Add Policy tab, navigate to the Time of Access Configuration section.
    • Adaptive Authentication: Add Policy

  • From the Select Timezone list, select the timezone. From the Start Time and End Time lists select the appropriate values. For each Time configuration you add, you can choose to either allow or deny it by enabling or disabling the switch button next to it.
  • Enter the value in minutes in the input field next to the Time Difference allowed for the Fraud Prevention check. This value allows you to specify some relaxation before your start time and after your end time. (so if the start time is 6 AM and the end time is 6 PM with a time difference value set to 30 minutes, then the policy will consider the time from 5:30 AM to 6:30 PM). If no value is entered in this field, the default value is set which is 15 minutes.
  • You can click on the Add Time button to include more than one Time Configuration and then follow the above step.
    • Adaptive Authentication: Time of Access Configuration


5. Action for Behavior Change

You can configure one of the three possible actions for your Adaptive Authentication Policy as explained below :

Adaptive Authentication: Action for Behavior Change

Attribute Description
Allow Allow users to authenticate and use services if Adaptive authentication condition is true.
Challenge Deny user authentications and access to services if Adaptive authentication condition is true.
Deny Challenge users with one of the three methods mentioned below for verifying user authenticity.

Challenge Type Options :

Factors Description
User second Factor The User needs to authenticate using the second factor he has opted or assigned for such as
  • OTP over SMS
  • PUSH Notification
  • OTP over Email and, many more.
KBA The System will ask the user for 2 of 3 questions he has configured in his Self-Service Console. Only after the right answer to both questions is the user allowed to proceed further.
OTP over Alternate Email User will receive an OTP on the alternate email they have configured through the Self Service Console. Once the user provides the correct OTP, they are allowed to proceed further.

6. Email Alerts and Custom Error Message

This section handles the notifications and alerts related to Adaptive Authentication.It provides the following options :

  • Get email alerts if users login from unknown devices or locations: Admins need to enable this option to enable receiving alerts for different alert options.
    • Option Description
    Challenge Completed and Device Registered Enabling this option allows you to send an email alert when an end-user completes a challenge and registers a device.
    Challenge Completed but Device Not Registered Enabling this option allows you to send an email alert when an end-user completes a challenge but do not register the device.
    Challenge Failed Enabling this option allows you to send an email alert when an end-user fails to complete the challenge.
    Users login from unknown IP addresses, devices or locations Enabling this option allows you to login from unknown ip addresses or devices and even locations.
    Number of Device registrations exceeded allowed count This option will allow you to register more devices than the devices you have numbered.

    adaptive authentication Action for behavior Change Configuration

  • Next subsection is send email alerts which allows us to enable or disable alerts for admin and end-users. To enable alerts for admins, you can enable the Administrators switch button.

    • adaptive authentication Action for behavior Change Configuration

  • In case, you want multiple admin accounts to receive alerts, then you can enable the option for admin and then enter the admin emails separated by a ‘,’ in the input field next to Administrator’s email to receive alerts label. To enable alerts for the end users, you can enable the “End Users” switch button.
  • In case, you want to customize the deny message that the end user receives in case his authentication is denied due to adaptive policy, you can do this by entering the message inside Deny message text box.
    • adaptive authentication Action: Customize Deny message