Web authentication policy configuration
Create a policy, define the apps and groups to which the policy applies, define the authentication methods that are allowed in the policy, and add one or more rules to the policy.
The following rules can be configured:
-
Access from the company network: Specify the IP addresses that define the company network, allow silent authentication for users within the company network, or specify the method of authentication you require when within the company network.
-
Accessing from countries: Specify the authentication method required when within a specific country or countries, or deny access for specific countries.
-
Authenticating from a new device: Specify the authentication method required when authenticating from a new device.
-
Recently authenticating from office: Determine which authentication action should be performed if the previous authentication request was within the defined period of time, and from the same accessing device, and the authenticating device’s mobile location is the office.
-
Recent authentication: Specify which authentication action should be performed if the previous authentication request was within the defined period of time, and from the same accessing device.
-
Mobile OS version: Specify which authentication action should be performed for the defined mobile OS versions. Deny access for versions that are below a specific version, or define a specific authentication method for versions above a specific version.
-
Recent authentication from company network: Specify which authentication action should be performed when logging in from within the company network, if the previous authentication request was within the defined time period. Optionally specify that the user’s mobile device’s must be located in the office during authentication.
-
IP reputation rule: Specify authentication method according to the risk score of the IP address of the accessing device. Determine which authentication action should be performed for accessing devices with low, medium, or high risk IP addresses.
-
Geovelocity anomaly rule: Specify the authentication method or deny access, if travel between the current login location and previous login location is not possible in the time elapsed since the last login.
-
Limit push notifications rule: Reduce the likelihood of a user acknowledging a malicious push notification as part of an MFA fatigue attack by limiting the number of push notifications the user can deny or ignore within a given time period, and specifying appropriate rule actions.
To provide a higher level of security against phishing attacks when using various MFA authentication methods, we suggest you add the Authenticating from a new device rule to your policy and configure the rule action to require Security key.
If this is configured, and a user accidentally enters a phishing site, because it is the first time a user has entered the site and no previous authentication has occurred from the site, PingID will apply a device blessing policy. Therefore, the Authenticating from new devicerule will be triggered and the user will be prompted to authenticate using their security key. Authentication with security key will fail as there was no match between the phishing host name to the legitimate hostname that was stored for the security key during registration time. Any other paired authentication method cannot be used to authenticate due to the Authenticating from new device rule action, protecting the user from the malicious site.
If you define more than one policy, the policies are executed in the order in which they are appear in the Policy list. If you include more than one rule in a policy, the rules are executed in the order in which they appear in the policy. If an application or group appears in more than one policy, only the rules in the first applicable policy listed are applied (see Policy evaluation and Policy implementation requirements for further details). |
If you are using PingOne DaVinci to orchestrate your PingID flows, the following rules are not evaluated:
|