Skip to main content

Geolocation Authentication Rules

Overview

Administrators can define authentication policies and set rules for access to their tenant based on the geographic location of their users. Administrators can choose to Allow Access, Deny Access, Step Up the User with LiveID, or Step Up with Time-based One-time Passcode (TOTP), depending on where the user is connecting.

Your user's geolocation is determined by their IP address and is detected through the internet browser they use to access the tenant. The detected IP address location is then converted to the user's geographic location (geolocation). At this point, the authentication rules are evaluated and executed if the user's geolocation matches that of an enabled rule. Geolocation rules are evaluated every time the user lands on the tenant landing page.

If users are connecting through a VPN or proxy, the proxy's location or IP address is used.

Administrators can set more than one rule at a time, combining Geolocation Authentication Rules and IP Address Authentication Rules to fine-tune access to their tenant.

Configure Geolocation Rules in AdminX

To access geolocation rules for your tenant, navigate to your tenant and log in as an Administrator.

Next, click the Authentication icon on the left-hand menu bar and then Rules.

Add a New Geolocation Rule

danger

Be careful when creating rules that deny access, as it is possible to lock yourself out of your tenant.

If you are locked out, please contact us at support@1kosmos.com for assistance.

To add a new geolocation rule, click Add New.

Select Geolocation rule from the drop-down menu.

New Geolocation Rule Details

Configure the details for your new geolocation rule:

  • Rule Name: Enter a name that will allow you to easily identify which geographic locations will apply. For this example, we will create a rule for Arizona users and use Arizona as the rule name.

  • Country: Select the country the rule applies to from the drop-down menu.

  • State: Select the state the rule applies to from the drop-down menu.

  • Decision: Select a rule decision, Allow Access, Deny Access, Step Up the User with LiveID, or Step Up the User with TOTP.

    • Allow Acess: Users from the Country and State listed will be allowed access to the tenant
    • Deny Access: Users from the Country and State listed will be denied access to the tenant
    • Step Up the User with LiveID: Users from the Country and State listed will be allowed access after confirming their identity with LiveID.
    • Step Up the User with TOTP: Users from the Country and State listed will be allowed access after authenticating and entering a six-digit time-based one-time passcode (TOTP).

  • Enable this Rule?: Toggle the switch to activate the rule now. Rules can be enabled or disabled at any time by Administrators.

When you are finished, click Save

After saving, your new rule will be visible on the Rules page.

Combining Geolocation Rules

Additional geolocation rules can be added and combined to fine-tune access to the tenant. The rules are evaluated in the order they are listed.

Administrators can combine IP Address authentication rules with geolocation rules.

Enabling and Disabling Geolocation Rules

Administrators can enable or disable geolocation rules at any time by navigating to the Rules page and toggling the Status switch for the corresponding rule.

Enabled rules will show a green status, with the switch indicator to the right:

*Disabled rules will show a gray status, with the switch indicator to the left.

Deleting Geolocation Rules

Administrators can remove unwanted or unneeded rules by deleting them if desired.

Navigate to the Rules page and click the trash icon for the rule you wish to delete.

Confirm the removal of the rule by clicking Delete.

Geolocation Rules in Action

Allow Access

Users from a geographic location with a matching Allow Access rule enabled will be able to access the tenant and log in as before with no detectable difference.

Deny Access

When a user attempts to access your tenant from a geographic location with a Deny Access rule enabled, they will see a message stating they have been denied access to the tenant.

Step Up the User with LiveID

Users from a geographic location with a matching Step Up the User with LiveID rule enabled will be able to access the tenant and log in as before, with an additional step. After completing their initial authentication, users will confirm their liveness and identity using LiveID.

After completing the LiveID authentication, users can access the tenant.

Administrators can audit which users were required to perform a step-up with LiveID authentication by reviewing their tenant Login Activity Reports.

Step Up the User with Time-based One-time Passcode (TOTP)

Users from a geographic location with a matching Step Up the User with TOTP rule enabled will be able to access the tenant and log in as before, with an additional step. After completing their initial authentication, users will confirm their identity by entering a six-digit time-based one time passcode from the BlockID Mobile Application.

When this method is enabled, users are required to enter their username (the email address associated with your account). After entering their username, users will be prompted to enter a six-digit time-based OTP *(TOTP).

To find your TOTP, open the BlockID Mobile Application. The six-digit TOTP will be displayed at the bottom of the screen. If you do not see the OTP, swipe left to change the view to that of the TOTP.

Enter the TOTP before the timer completes its circuit. If it refreshes before you can enter and submit the TOTP you will need to enter the newest TOTP displayed on your mobile device.

After entering the six-digit OTP, users can access the tenant.

Administrators can audit which users were required to perform a step-up with TOTP authentication by reviewing their tenant Login Activity Reports.