Adaptive Authentication
Overview
Adaptive Authentication service verifies the user identity based on factors such as location, device status, and end user context. Using these factors, adaptive authentication intelligently chooses the appropriate authentication methods and enables access to authorized resources. This guide will walk you through the setup and configuration of Adaptive Authentication in BlockID.
Business Scenarios for Adaptive Authentication
Adaptive Authentication offers several business scenarios that can enhance security and user experience:
-
Deny Access: Use Adaptive Authentication to deny access to certain users or groups based on predefined conditions. Administrators can configure rules to block access for specific users or groups if they match certain conditions, such as IP address range, group membership, or application access.
-
Request Specific Authentication Factors: Configure journeys to request specific authentication factors for higher-risk applications. For example, for sensitive applications or transactions, administrators can set up Adaptive Authentication to require additional factors such as one-time passwords (OTP), push notifications, or biometric authentication.
-
Different Rules for Inside and Outside Networks: Apply different authentication rules based on whether users are accessing resources from inside or outside the organization's network. Administrators can define separate authentication policies for internal network access and external network access. For instance, stricter authentication requirements may be enforced for external access to ensure security compliance.
Prerequisites
Before setting up Adaptive Authentication, ensure the following prerequisites are met:
- Active Directory (AD) and Go Broker Configuration: Integrate Active Directory with BlockID for user authentication and access control. Ensure at least one Go Broker is available per Active Directory to facilitate seamless communication and authentication between BlockID and Active Directory.
- BlockID Attributes & AD Attribute Mapping: Ensure that BlockID attributes include the groups attribute and map the memberof directory attribute to the groups BlockID attribute for group-based authentication.
- Enable Adaptive Authentication Module: Toggle on the Adaptive Authentication journey in AdminX.
Step 1: Navigate to Adaptive Authentication
- Login to AdminX.
- Go to Authentication > Adaptive Authentication > Adaptive Authentication Journey.
Step 2: Create a new journey
- Click on the Add new adaptive auth journey button.
- Provide a descriptive name for the journey.
- Enable or disable the journey as needed.
Step 3: Define Conditions
Adaptive Authentication Journeys allow administrators to build authentication paths based on various conditions. Define a condition from the following options:
Conditions | Operator | Values |
---|---|---|
IP Address | is in the range of | Accepts an array of CIDR values. For example: 192.158.1.38, 172.16.0.0/12, 192.168.0.0-192.168.255.255 |
IP Address | is outside the range of | Accepts an array of CIDR values and range. For example: 192.158.1.38, 172.16.0.0/12, 192.168.0.0-192.168.255.255 |
Groups | is one of | Specify the full DN of the Group. Allows for multiple values |
Groups | is not one of | Specify the full DN of the Group. Allows for multiple values |
Applications | is one of | Select applications (SAML/OIDC/Admin Control Plane) to apply policies to |
Username | is one of | Accepts an array of usernames |
Step 4: Set Decision Actions
Define the outcome for each condition:
Outcome | Description |
---|---|
Deny Access | Denies access when the user matches against a journey. |
Just Password | Requires the user to only provide a password to login. |
Push Notification | Approves sign-ins via push notification sent to the BlockID App. |
FIDO | Allows the use of Windows Hello, Mac TouchID, or your security key to login. |
BlockID app Codes | Requires entering the 6-digit code generated by the BlockID app. |
Hardware Token OTP | Provides username and requires entering a 6-digit code generated from a hardware token. |
Password & any OTP | Requires providing a password and using passcodes generated through any channel. |
Password & Web OTP | Requires providing a password and using passcodes generated through Email, SMS, Voice, BlockID App, generated through APIs, and hardware token. |
Password & SMS OTP | Requires providing a password and entering a code delivered to the registered phone number via text. |
Password & Email OTP | Requires providing a password and entering a code delivered to the registered email address. |
Password & Voice OTP | Requires providing a password and entering a code delivered to the registered phone number via voice call. |
Password & Push Notification | Requires providing the password and approving sign-ins via push notification sent to the BlockID App. |
Password & FIDO | Requires providing the password and using an enrolled FIDO Device -- Windows Hello, Mac TouchID, or your security key to login. |
Password & BlockID App Codes | Requires providing the password and entering the 6-digit code generated by the BlockID app. |
Password & Hardware OTP Codes | Requires providing the password and code from the hardware token. |
Step 5: Adaptive Authentication Journey Evaluation
-
If a user matches multiple journeys, all matching methods are presented.
-
If a deny access decision is included in a matching journey, access is automatically denied.
-
All authentication policies are executed without a priority order.
-
If a user doesn't match any journey, the default authentication journey is initiated.
Step 6: Save and Apply
- Save the journey to apply the configuration. Test the journey to ensure it functions as expected.
Conclusion
By following this guide, you can effectively configure Adaptive Authentication in BlockID to enhance security and streamline user access to resources. Be sure to monitor the performance of your configured journeys and make adjustments as needed to optimize your authentication process.