Skip to main content

Adaptive Authentication

Overview

Adaptive Authentication service verifies the user identity based on factors such as location, device status, and end user context. Using these factors, adaptive authentication intelligently chooses the appropriate authentication methods and enables access to authorized resources. This guide will walk you through the setup and configuration of Adaptive Authentication in BlockID.

Business Scenarios for Adaptive Authentication

Adaptive Authentication offers several business scenarios that can enhance security and user experience:

  1. Deny Access: Use Adaptive Authentication to deny access to certain users or groups based on predefined conditions. Administrators can configure rules to block access for specific users or groups if they match certain conditions, such as IP address range, group membership, or application access.

  2. Request Specific Authentication Factors: Configure journeys to request specific authentication factors for higher-risk applications. For example, for sensitive applications or transactions, administrators can set up Adaptive Authentication to require additional factors such as one-time passwords (OTP), push notifications, or biometric authentication.

  3. Different Rules for Inside and Outside Networks: Apply different authentication rules based on whether users are accessing resources from inside or outside the organization's network. Administrators can define separate authentication policies for internal network access and external network access. For instance, stricter authentication requirements may be enforced for external access to ensure security compliance.

Prerequisites

Before setting up Adaptive Authentication, ensure the following prerequisites are met:

  • Active Directory (AD) and Go Broker Configuration: Integrate Active Directory with BlockID for user authentication and access control. Ensure at least one Go Broker is available per Active Directory to facilitate seamless communication and authentication between BlockID and Active Directory.
  • BlockID Attributes & AD Attribute Mapping: Ensure that BlockID attributes include the groups attribute and map the memberof directory attribute to the groups BlockID attribute for group-based authentication.
  • Enable Adaptive Authentication Module: Toggle on the Adaptive Authentication journey in AdminX.

Step 1: Navigate to Adaptive Authentication

  • Login to AdminX.
  • Go to Authentication > Adaptive Authentication > Adaptive Authentication Journey.

Step 2: Create a new journey

  • Click on the Add new adaptive auth journey button.
  • Provide a descriptive name for the journey.
  • Enable or disable the journey as needed.

Step 3: Define Conditions

Adaptive Authentication Journeys allow administrators to build authentication paths based on various conditions. Define a condition from the following options:

ConditionsOperatorValues
IP Addressis in the range ofAccepts an array of CIDR values. For example: 192.158.1.38, 172.16.0.0/12, 192.168.0.0-192.168.255.255
IP Addressis outside the range ofAccepts an array of CIDR values and range. For example: 192.158.1.38, 172.16.0.0/12, 192.168.0.0-192.168.255.255
Groupsis one ofSpecify the full DN of the Group. Allows for multiple values
Groupsis not one ofSpecify the full DN of the Group. Allows for multiple values
Applicationsis one ofSelect applications (SAML/OIDC/Admin Control Plane) to apply policies to
Usernameis one ofAccepts an array of usernames

Step 4: Set Decision Actions

Define the outcome for each condition:

OutcomeDescription
Deny AccessDenies access when the user matches against a journey.
Just PasswordRequires the user to only provide a password to login.
Push NotificationApproves sign-ins via push notification sent to the BlockID App.
FIDOAllows the use of Windows Hello, Mac TouchID, or your security key to login.
BlockID app CodesRequires entering the 6-digit code generated by the BlockID app.
Hardware Token OTPProvides username and requires entering a 6-digit code generated from a hardware token.
Password & any OTPRequires providing a password and using passcodes generated through any channel.
Password & Web OTPRequires providing a password and using passcodes generated through Email, SMS, Voice, BlockID App, generated through APIs, and hardware token.
Password & SMS OTPRequires providing a password and entering a code delivered to the registered phone number via text.
Password & Email OTPRequires providing a password and entering a code delivered to the registered email address.
Password & Voice OTPRequires providing a password and entering a code delivered to the registered phone number via voice call.
Password & Push NotificationRequires providing the password and approving sign-ins via push notification sent to the BlockID App.
Password & FIDORequires providing the password and using an enrolled FIDO Device -- Windows Hello, Mac TouchID, or your security key to login.
Password & BlockID App CodesRequires providing the password and entering the 6-digit code generated by the BlockID app.
Password & Hardware OTP CodesRequires providing the password and code from the hardware token.

Step 5: Adaptive Authentication Journey Evaluation

  1. If a user matches multiple journeys, all matching methods are presented.

  2. If a deny access decision is included in a matching journey, access is automatically denied.

  3. All authentication policies are executed without a priority order.

  4. If a user doesn't match any journey, the default authentication journey is initiated.

Step 6: Save and Apply

  • Save the journey to apply the configuration. Test the journey to ensure it functions as expected.

Conclusion

By following this guide, you can effectively configure Adaptive Authentication in BlockID to enhance security and streamline user access to resources. Be sure to monitor the performance of your configured journeys and make adjustments as needed to optimize your authentication process.

Was this page helpful?