As an add-on to your OneLogin Enterprise or Unlimited subscription, we provide the option to use Adaptive Authentication to determine whether your users require a secondary authentication factor in addition to their password.
Adaptive Authentication uses a machine learning algorithm that calculates risk to determine whether a login requires MFA. For example, if you set up a user policy to require a one-time password (OTP) when a user is out of the office, and that user regularly works from home, Adaptive Authentication notices the pattern of regular logins from the same IP address/browser/operating system using OTP and eventually lets the user log in from that IP address/browser/operating system combination without MFA. However, when that user logs in from an unknown IP address, they will be required to provide their second authentication factor.
Adaptive Authentication can be enabled for higher or lower levels of security, some more permissive and some less permissive about letting users log in without MFA.
Adaptive Authentication risk calculations include the following factors, among others:
- IP flagged as a threat in AlienVault Open Threat Exchange
- IP blacklisted by Project HoneyPot
- Tor network access
- Blacklisted country
- New city or country
- New browser or OS
- Infrequently used browser or OS
- New device
- Access from a new IP address
- Access at an unusual time of day
- User moved with unrealistic speed between two locations
Adaptive Authentication works with all of the MFA providers and methods supported by OneLogin, including:
- OneLogin OTP
- OneLogin OTP SMS
- OneLogin security questions
- Duo Security
- Google Authenticator
- Symantec VIP Access
- Yubico Yubikey
- RSA SecurID
- Vasco Digipass & Identikey
- FireID Security
- SafeNet Authentication Manager
- Swivel Secure PINsafe
For general information about setting up MFA for OneLogin, see Adding Multi-factor Authentication.
Enabling Adaptive Authentication for MFA
To add Adaptive Authentication to your OneLogin subscription, contact OneLogin sales. Once OneLogin has added it to your plan, you can enable it for your users:
Log in to OneLogin as an admin.
Enable the secondary authentication factors (OneLogin OTP, Google Authenticator, etc) that you want to make available to your users.
See "Adding your authentication factor" in Adding Multi-factor Authentication.
Go to Settings > Policies to add a new User Policy or update an existing one.
Click the New User Policy button or select a policy from the table.
Go to the MFA tab.
Enable OTP Auth Required.
Select the Available factors that you want users on this policy to have access to.
In the OTP bypassed for the following IP addresses field, enter the IP addresses that will never require MFA for users on this policy.
In other words, create a whitelist of IP addresses that your users can log in from without providing a second authentication factor. Adaptive Authentication will always let users log in without a second authentication factor from these IP addresses.
Tip. It may seem that whitelisting your office IP addresses is a no-brainer. But consider this. If you don't whitelist IPs for your office, but let Adaptive Authentication take care of figuring out that logins from that IP address are safe, then when a non-employee tries to log in from that IP address, they would be challenged for a second authentication factor because their browser/OS isn't recognized. You're more secure than you would be if you use IP address whitelisting.
Set OTP required for to one of the following:
- Administrator Only: Only requires second authentication factor for Super Users and Account Owner.
- Configured Users Only: Only requires second authentication factor for end users who have already manually added and configured an authentication factor.
- All Users: Requires second authentication factor for all users. Users will be prompted to set up an authentication factor when they try to log in to OneLogin.
Set OTP required at to At every login.
The Unknown browsers option is not recommended when using Adaptive Authentication, which already recognizes unknown browsers and includes them in its risk calculations.
Under Adaptive MFA, select Enable and select the Risk level:
Adaptive Authentication scores the risk of each login attempt on a scale of 0-100 and compares the calculated risk score to the maximum level you're comfortable with:
No calculated risk: Require MFA if the login's risk factor is calculated as 5 or more. Login attempts that fit a pattern of behavior that machine learning recognizes over time as safe (let's say the user is logging in from their home IP address/OS/browser) will eventually be calculated as less than 5.
Low calculated risk: Require MFA if the login's risk factor is calculated as 20 or more. This is less strict than No calculated risk. More likely to let users log in without MFA.
Medium calculated risk: Require MFA if the login's risk factor is calculated as 50 or more. This is less strict than Low calculated risk. Even more likely to let users log in without MFA.
Assign the user policy to a Group or to individual users.
See "Assigning MFA security policies to Groups" and "Assigning MFA security policies to individual users" in Adding Multi-factor Authentication.
Monitoring risk calculation and login events
For users on policies that use Adaptive Authentication for MFA, every login-related event records the risk calculation, risk reasons, and whether login was passed through with or without a second-factor challenge.
This screenshot shows a login event for a user on a policy with Risk level set to Low (calculated risk of 20 or higher requires MFA). Because the risk level for the login attempt was calculated as 34, the user was challenged for a second authentication factor:
You can view these events in either of the following ways:
Go to Users > All Users, select a user, and go to the MFA tab.
Select a login event and view the event details.
Go to Activity > Events, select a login event, and view the event details.