This site requires JavaScript to be enabled
External Customer KB > General > Smart MFA & Smart Access
Smart MFA & Smart Access
Article: KB0010438 Published: 11/07/2023 Last modified: 11/07/2023

Smart MFA and Smart Access are two of the best ways to intelligently automate your organization's security needs with SmartFactor Authentication. Using the risk scores calculated by Vigilance AI, our threat analysis engine, these adaptive authentication tools can determine how risky any given login attempt is and dynamically tighten your organization's security to its optimal level without sacrificing user experience

This feature requires a OneLogin subscription that includes SmartFactor Authentication. Speak with your account representative for more information.

Table of Contents

 


 

Smart MFA

With Smart MFA, you can determine a risk threshold and suppress multi-factor authentication (MFA) requirements for logins below your comfortable level of risk. When Smart MFA is enabled for a user, they're initially prompted for a one-time password (OTP) each time they log in, while Vigilance AI tracks their login behaviors and forms their behavior profile. When their pattern is established and their risk score successfully falls below the threshold you set, Smart MFA suppresses the MFA requirement and the user no longer needs to enter an OTP with each attempt. If the user's behavior changes and their risk score rises again, Smart MFA adapts and resumes enforcing OTP authentication until their new behavior is established.

Smart MFA can be applied to users by configuring a user policy.

Minimal

Select this to allow only the most minimal of risk tolerance. This option provides your organization with the most robust security by prompting users for MFA during nearly every login attempt.

Low

Select this to if you prefer lower risk tolerance for your organization. Users will be prompted for MFA during most login attempts.

Medium

Select this for an even balance between security and user experience. MFA will often be suppressed once a user exhibits predictable and secure behavior, such as logging in from the same location and at the same time every day.

High

Select this if your organization favors user experience over security. Under most circumstances, users will not be prompted for MFA unless exhibiting unusual login behaviors.

Very High

Select this to accept a very high level of risk. This option maximizes user experience at the expense of security; users will only be prompted for MFA during highly unusual login attempts.

 


 

Smart Access

Smart Access is similar to Smart MFA in that Vigilance AI will learn from your users' previous behavior and adapt its approach based on the degree of risky or unusual behavior they display. However, while Smart MFA tightens security by requiring additional authentication for higher-risk logins, Smart Access denies login attempts completely if they exceed your organization's preferred risk level. The user is notified that their access has been denied, and an event log is generated for admin review.

Smart MFA can be applied to users by configuring a user policy, or to specific applications with an app policy.

Important: All new users are typically considered High risk before the Vigilance AI risk engine has enough data to analyze the user's normal login behaviors. Because of this, it's necessary that you assign your new users to an onboarding user policy with Smart Access disabled.

If Smart Access is applied to a new user, their account may become locked out, permanently blocked, or disabled, requiring an admin escalation.

When the new user's typical login pattern has been established and their risk score lowers, you can then reassign them to their appropriate group's user policy moving forward.

Low

Select this to provide your organization with the tightest security at the expense of user experience. Access will be denied unless users exhibit very safe and predictable login behavior.

Medium

Select this for an even balance between security and user experience. Access will sometimes be denied for users if their login behavior appears inconsistent.

High

Select this if your organization favors user experience over security. User access will only be denied in the event of unusually high-risk login attempts.


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo