Authentication policies
Authentication policies dictate how the user’s identity is verified. For example, a single-factor authentication policy requires a single piece of evidence to verify a user’s identity, such as a password. A multi-factor policy could require evidence to verify a user’s identity, such as a Time-based One-Time Password (TOTP) authenticator app, FIDO2 biometrics, a push notification sent to the user’s mobile device, or a one-time passcode sent over SMS, voice or email. You can also use multi-factor authentication to set up passwordless authentication. You can determine whether users who don’t have any enrolled multi-factor authentication (MFA) devices can bypass the MFA flow, or are blocked from sign-on.
|
Using a username and MFA as your primary authentication method can expose users to security risks like username enumeration, MFA fatigue attacks, targeted phishing, and denial-of-service incidents. To reduce exposure, use a passwordless method like FIDO2 biometrics for primary authentication. |
For each authentication policy, you can set a condition that determines when it applies. For example, the Single_Factor policy can include a condition that requires users to sign on if the most recent sign-on occurred more than eight hours ago. If no conditions are specified, users are required to sign on every time they access the application.