SmartFactor Authentication is a powerful add-on to your OneLogin account that includes all the features of multi-factor authentication (MFA) as well as a collection of tools for streamlining, automating, and intelligently increasing your users' account security with OneLogin's proprietary Vigilance AI threat engine. This article offers a brief overview of the tools provided by SmartFactor, as well as some tips, tricks, and best practice for making the most of these features.

Implementing SmartFactor Authentication

Check out everything that SmartFactor has to offer with our four-part video training series!

Watch Now

Prerequisites

To add on the SmartFactor Authentication package, you must also have the Single Sign-On (SSO) package. Speak with your OneLogin account representative for details.

Table of Contents

Multi-Factor Authentication
Vigilance AI
Smart Flows
Credential Protection
- Compromised Credential Check
  - Compromised Password Check
- Dynamic Password Block List
Access Policies

Multi-Factor Authentication

Multi-factor authentication (MFA), also sometimes called two-factor authentication or 2FA, adds an extra layer of security to user accounts, drastically reducing the chances that bad actors can steal sensitive information. It works by using multiple different factors to authenticate users instead of just one. In a typical single-factor authentication (SFA) scenario, the user signs in with a password, which acts as their one security factor. Most MFA scenarios require both the user's password and at least one other authentication method, such as an authentication app, a text message code, or a digital security certificate.

Learn more with Multi-Factor Authentication.

Vigilance AI

Vigilance AI is OneLogin's proprietary engine for analyzing a wide variety of threat factors and user behaviors that could compromise your organization's security, automatically protecting you from threats based on a calculated risk score.

When a user logs in, Vigilance tracks a wide variety of factors taking place during the login attempt, such as:

Is the user logging in from an IP address flagged as a threat in AlienVault Open Threat Exchange or block-listed by Project HoneyPot?
Is Tor network access being used during the login attempt?
What browser, operating system, IP address, and device is being used for the login attempt?
Where is the user's geographic location?
What time of day is the user logging in?

Based on these factors and more, login attempts are given a risk score on a scale from 1-100. Meanwhile, Vigilance is learning from each attempt, building up a typical login behavior profile for each user, taking into consideration their usual login patterns and what to consider "normal" activity for each given user. Each time the user logs in using the same pattern of behavior, forming the same consistent habits, Vigilance lowers their risk score. However, when the pattern is broken – for example, if the user signs in during the middle of the night, in a new country, or using an unfamiliar device – their risk score is raised again.

Risk-Based Reporting

You can keep a close eye on these risk scores and how they evolve with OneLogin's reporting tools. Reports and events allow you to search and filter user activities based on their risk scores, so you can quickly locate and learn from any high-risk activities taking place in your organization.

Smart MFA

Smart MFA is a form of adaptive authentication that detects and responds to high-risk logins without sacrificing user experience. When Smart MFA is enabled for a user, they're initially prompted for a one-time password (OTP) each time they log in, while Vigilance AI tracks their login behaviors and forms their behavior profile. When their pattern is established and their risk score successfully falls below the threshold you set, Smart MFA suppresses the MFA requirement and the user no longer needs to enter an OTP with each attempt. If the user's behavior changes and their risk score rises again, Smart MFA adapts and resumes enforcing OTP authentication until their new behavior is established.

Smart MFA Risk Scores:

Minimal: 0-4
Low: 5-25
Medium: 26-50
High: 51-75
Very High: 76-100

Smart Access

Similarly, Smart Access also tracks the user's pattern of behavior in relation to their risk score, but while Smart MFA requires users above a certain risk threshold to complete an additional authentication factor in order to log in, Smart Access denies these users' access entirely. The user is notified that their login attempt was denied, and an event log is generated for admin review.

Smart Access Risk Scores:

Low: 25-49
Medium: 50-89
High: 90-100

Important: All new users are typically considered High risk before the Vigilance AI risk engine has enough data to analyze the user's normal login behaviors. Because of this, it's necessary that you assign your new users to an onboarding user policy with Smart Access disabled.

If Smart Access is applied to a new user, their account may become locked out, permanently blocked, or disabled, requiring an admin escalation.

When the new user's typical login pattern has been established and their risk score lowers, you can then reassign them to their appropriate group's user policy moving forward.

Learn more with Smart MFA & Smart Access.

Smart Flows

Smart Flows allow you to define and customize specific login flows on a user policy based on your organization's security and end-user requirements, such as passwordless or brute-force defense flows. For example, if bots or brute-force login attacks are a concern for your organization, you can change the order of the standard login flow by requiring users to complete an MFA prompt before entering their username and password.

Smart Flows can also be used in conjunction with Smart Hooks, a base OneLogin feature that empowers you to customize authentication flows and tightly integrate other systems with OneLogin. By running serverless code within the OneLogin platform, you can create custom authentication flows and integrations that meet your organization's unique security requirements.

Learn more with Smart Flows.

Credential Protection

Compromised Credential Check

Compromised credential check prevents users from using credentials that have been breached and posted on the dark web. When a user attempts to create or change passwords, OneLogin checks it against a database of compromised credentials. If it discovers their combination of username and password have been previously identified, it prevents them from using that password.

Compromised Password Check

Similarly, the compromised password check activates when a user attempts to create or change their password. However, while the compromised credential check searches only for the specific combination of their username and new password, this check disallows users from choosing a password that has ever been compromised in association with any username. This provides the tightest level of password restriction, eliminating hundreds of millions of possible passwords, including common and easily guessed passwords, such as "Password123" or "abcd1234".

Dynamic Password Block List

The dynamic password block list allows you to select user attributes and prevent users from including those values in their passwords, such their own name, username, or email address, or their department or company name.

Access Policies

User policies and app policies are the best way to automate your account security and put SmartFactor into action!

With user policies, you can define the security requirements that best fit the different types of users in your organization and apply them broadly to your user groups. In turn, app policies allow you to fine-tune these requirements even further by adding additional security requirements or exceptions for users accessing specific applications.