If you want to reset your password and your organization has Adaptive Authentication enabled, please watch the video below for instructions.
As an add-on to your OneLogin Enterprise or Unlimited subscription, we provide the option to use Adaptive Authentication to determine whether your users require a secondary authentication factor in addition to their password.
Adaptive Authentication uses a machine learning algorithm that calculates risk to determine whether a login requires MFA. For example, if you set up a user policy to require a one-time password (OTP) when a user is out of the office, and that user regularly works from home, Adaptive Authentication notices the pattern of regular logins from the same IP address/browser/operating system using OTP and eventually lets the user log in from that IP address/browser/operating system combination without MFA. However, when that user logs in from an unknown IP address, they will be required to provide their second authentication factor.
Adaptive Authentication can be enabled for higher or lower levels of security, some settings allow users to log in easily without MFA, while others make it more difficult. Additionally, during login each step is broken into a single screen which makes it easier to add or remove requirements depending on your authentication needs. Read more about here.
Adaptive Authentication risk calculations include the following factors, among others:
- IP flagged as a threat in AlienVault Open Threat Exchange
- IP blacklisted by Project HoneyPot
- Tor network access
- Blacklisted country
- New city or country
- New browser or OS
- Infrequently used browser or OS
- New device
- Access from a new IP address
- Access at an unusual time of day
- User moved with unrealistic speed between two locations
Adaptive Authentication works with all of the MFA providers and methods supported by OneLogin, including:
- OneLogin Protect for iOS and Android
- OneLogin security questions
- Duo Security
- Google Authenticator
- Symantec VIP Access
- Yubico Yubikey
- RSA SecurID
- OneLogin OTP for Windows Phones and Windows Desktop (deprecated)
- OneLogin OTP SMS
For general information about setting up MFA for OneLogin, see Adding Multi-Factor Authentication.
Enabling Adaptive Authentication for MFA
To add Adaptive Authentication to your OneLogin subscription, contact OneLogin sales. Once OneLogin adds it to your plan, you can enable it for your users:
Log in to OneLogin as an admin.
Enable the secondary authentication factors (OneLogin Protect, Google Authenticator, etc) that you want to make available to your users.
See "Adding your authentication factor" in Adding Multi-Factor Authentication.
Go to Security > Policies to add a new User Policy or update an existing one.
Click the New User Policy button or select a policy from the table.
Go to the MFA tab.
Enable OTP Auth Required.
Select the Available factors you want users on this policy to access.
In the Users without MFA device must register one before logging in field, enable or disable the requirement for users to register a MFA device during the login process. The default setting is enabled. When disabled, users who do not have a registered device will not be able to register one or log in.
In the OTP bypassed for the following IP addresses field, enter the IP addresses that won't require MFA for users on this policy.
In other words, create a whitelist of IP addresses that your users can log in from without providing a second authentication factor. Adaptive Authentication will always let users log in without a second authentication factor from these IP addresses.
Tip. It may seem that whitelisting your office IP addresses is a no-brainer. But consider this. If you don't whitelist IPs for your office, but let Adaptive Authentication take care of figuring out that logins from that IP address are safe, then when a non-employee tries to log in from that IP address, they would be challenged for a second authentication factor because their browser/OS isn't recognized. You're more secure than you would be if you use IP address whitelisting.
Set OTP required for to one of the following:
- Administrator Only: Only requires second authentication factor for Super Users and Account Owner.
- Configured Users Only: Only requires second authentication factor for end users who have already manually added and configured an authentication factor.
- All Users: Requires second authentication factor for all users. Users will be prompted to set up an authentication factor when they try to log in to OneLogin.
Set OTP required at to At every login.
The Unknown browsers option is not recommended when using Adaptive Authentication, which already recognizes unknown browsers and includes them in its risk calculations.
Under Smart MFA, select Enable and select the Risk level you are willing to accept:
Note that although these labels imply that you are taking a risk, OneLogin operates from a base level that still protects our customers.
Low: Low tolerance of risk, extremely strict security standards. MFA is more than likely required with each user login.
Medium: Medium tolerance of risk, but strict security standards. Willing to accept a medium level of risk. MFA prompts decrease when a user exhibits predictable and secure behavior, such as logging in from the same location every day at the same time.
High: Somewhat strict security standards, while favoring user experience. Willing to accept a somewhat higher level of risk in exchange for an easier user experience. Does not usually require MFA, but will present an MFA challenge at appropriate times, such as unusual login locations.
- Click Save.
Assign the user policy to a Group or to individual users. Note: Adaptive Authentication can only be applied to a user policy and is not compatible with Radius authentication.
See "Assigning MFA security policies to Groups" and "Assigning MFA security policies to individual users" in Adding Multi-Factor Authentication.
Monitoring Risk Calculation and Login Events
For users on policies that use Adaptive Authentication for MFA, every login-related event records the risk calculation, risk reasons, and whether login was passed through with or without a second-factor challenge.
The screenshot below shows a login event for a user on a policy with Risk level set to Low (calculated risk between 5 - 25 results in MFA requirement). Because the risk level for the login attempt was calculated as 34, the user was challenged for a second authentication factor.
You can view these events in either of the following ways:
Go to Users > All Users, select a user, and go to the MFA tab.
Select a login event and view the event details.
Go to Activity > Events, select a login event, and view the event details.