This site requires JavaScript to be enabled
External Customer KB > General > Smart MFA & Access (SmartFactor Authentication)
Smart MFA & Access (SmartFactor Authentication)
Article: KB0010438 Published: 04/19/2022 Last modified: 04/19/2022

Overview

Enable Smart MFA

Enable Smart Access

Monitor Risk Calculation and Login Events

Overview

As an add-on to your OneLogin subscription, we provide the option to use SmartFactor Authentication to determine whether your users require a secondary authentication factor in addition to their password. Two key features of SmartFactor Authentication, Smart MFA and Smart Access, can be enabled for higher or lower levels of security.

Note: If you wish to learn about all that SmartFactor Authentication has to offer you can find more information here.

Smart Access and Smart MFA use a machine learning algorithm we call Vigilance AI. Vigilance AI calculates a risk score based upon a user’s log in behavior. For example, if you enable Smart MFA on a user policy, Vigilance AI notices the pattern of regular logins from the same IP address/browser/operating system using OTP (One Time Password). Each time the user logs in using the same pattern of behavior Vigilance AI will lower their Risk Score. Eventually, their risk score should be below the threshold set when Smart MFA was enabled, and they will no longer be prompted for their OTP when they log in. However, when that user logs in from an unknown IP address, their risk score will increase and most likely push their risk score above the set threshold. This will mean they will have to provide their OTP once again to log in successfully.

  • Smart MFA allows users to log in easily without MFA when their login behavior is determined to be low risk.
  • Smart Access can prevent users from logging in if their login behavior is determined to be high risk.

Vigilance AI risk calculations include the following factors, among others:

  • IP flagged as a threat in AlienVault Open Threat Exchange
  • IP blacklisted by Project HoneyPot
  • Tor network access
  • Blacklisted country
  • New city or country
  • New browser or OS
  • Infrequently used browser or OS
  • New device
  • Access from a new IP address
  • Access at an unusual time of day
  • User moved with unrealistic speed between two locations

Smart MFA and Smart Access work with all the MFA providers and methods supported by OneLogin, including:

  • OneLogin Protect for iOS and Android
  • OneLogin security questions
  • Duo Security
  • Google Authenticator
  • Symantec VIP Access
  • Yubico Yubikey
  • RSA SecurID
  • OneLogin OTP for Windows Phones and Windows Desktop (deprecated)
  • OneLogin OTP SMS

For general information about setting up MFA for OneLogin, see Add Multi-Factor Authentication.

Enable Smart MFA

To add SmartFactor Authentication to your OneLogin subscription, contact OneLogin sales. Once OneLogin adds it to your plan, you can enable Smart MFA for your users:

  1. Log in to the OneLogin Portal as an Account Owner or Super User.
  2. Enable the secondary authentication factors (OneLogin Protect, Google Authenticator, etc.) that you want to make available to your users.
  3. Go to Security > Policies to add a new User Policy or update an existing one.
  4. Click the New User Policy button or select a policy from the table.
    • See User Policies to find out more about how to create or modify User Policies.
  5. MFA must be enabled for Smart MFA to work.
    1. Go to the MFA tab.
    2. Enable OTP Auth Required.
    3. Select the Available factors you want users on this policy to access.
    4. Set OTP required for as appropriate for your organization:
      • Administrator Only: Only requires second authentication factor for Super Users and Account Owner.
      • Configured Users Only: Only requires second authentication factor for end users who have already manually added and configured an authentication factor.
      • All Users: Requires second authentication factor for all users. Users will be prompted to set up an authentication factor when they try to log in to OneLogin.
    5. Set OTP required at to At every login.
    6. Under Smart MFA, select Enable and select the Risk level you are willing to accept:

      Note: Although these labels imply that you are taking a risk, OneLogin operates from a base level that still protects our customers.


      • Minimal: Minimal risk tolerance, provides your organization with robust security by prompting your users for MFA in most circumstances.
      • Low: Low risk tolerance, extremely strict security standards. MFA is more than likely required when users log in.
      • Medium: Medium risk tolerance, but strict security standards. Your org accepts a medium risk level when users log in. MFA prompts decrease when a user exhibits predictable and secure behavior, such as logging in from the same location every day at the same time.
      • High: Somewhat strict security standards, that favors user experience. Orgs accept a somewhat higher level of risk in exchange for an easier user experience. Doesn't usually require MFA, but presents MFA challenges at appropriate times, such as unusual login locations.
      • Very High: the strictest security standards. User experience is degraded but security risk is greatly reduced.
    7. Click Save.
  6. Assign the user policy to a Group or to individual users.
    • Note: Smart MFA Authentication can only be applied to a user policy and is not compatible with RADIUS authentication.
    • See "Assigning MFA security policies to Groups" and "Assigning MFA security policies to individual users" in Add Multi-Factor Authentication.

Enable Smart Access

To add SmartFactor Authentication features to your OneLogin subscription, contact OneLogin sales. Once OneLogin adds it to your plan, you can enable Smart Access for your users:

  1. Log in to the OneLogin Portal as an Account Owner or Super User.
  2. Enable the secondary authentication factors (OneLogin Protect, Google Authenticator, etc.) that you want to make available to your users.
  3. Go to Security > Policies to add a new User Policy or update an existing one.
  4. Click the New User Policy button or select a policy from the table.
    • See User Policies to find out more about how to create or modify User Policies.
  5. MFA must be enabled for Smart Access to work.
    1. Go to the MFA tab.
    2. Enable OTP Auth Required.
    3. Select the Available factors you want users on this policy to access.
    4. Set OTP required for as appropriate for your organization:
      • Administrator Only: Only requires second authentication factor for Super Users and Account Owner.
      • Configured Users Only: Only requires second authentication factor for end users who have already manually added and configured an authentication factor.
      • All Users: Requires second authentication factor for all users. Users will be prompted to set up an authentication factor when they try to log in to OneLogin.
    5. Set OTP required at to At every login.
    6. Under Smart Access, select Enable and select the Risk level you are willing to accept:

      Note: Although these labels imply that you are taking a risk, OneLogin operates from a base level that still protects our customers.


      • Low: Low risk tolerance, extremely strict security standards. This could prevent valid users from logging in.
      • Medium: Medium risk tolerance, but strict security standards. Your org accepts a medium risk level when users log in. Valid users are less likely to be blocked from logging in if the risk level is set to Medium but it is still likely to occur.
      • High: More strict security standards, that favors user experience. This is the recommended level for Smart Access and the level that is least likely to prevent valid users from logging in.
    7. Click Save.
  6. Assign the user policy to a Group or to individual users.
    • Note: Smart Access Authentication can only be applied to a user policy and is not compatible with RADIUS authentication.
    • See "Assigning MFA security policies to Groups" and "Assigning MFA security policies to individual users" in Add Multi-Factor Authentication.

Monitor Risk Calculation and Login Events

For users on policies that use Smart MFA and/or Smart Access, every login-related event records the risk calculation, risk reasons, and whether login was passed through with or without a second-factor challenge.

The screenshot below shows a login event for a user on a policy with Risk level set to Low (calculated risk between 5 - 25 results in MFA requirement). Because the risk level for the login attempt was calculated as 34, the user was challenged for a second authentication factor.

You can view these events in either of the following ways:

 

    • Go to Users > All Users, select a user, and go to the Activity tab.

      Select a login event and view the event details.

    • Go to Activity > Events, select a login event, and view the event details.


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo