As an add-on to your OneLogin Enterprise or Unlimited subscription, we provide the option to use Adaptive Authentication to determine whether your users require a secondary authentication factor in addition to their password.
Adaptive Authentication uses a machine learning algorithm that calculates risk to determine whether a login requires MFA. For example, if you set up a user policy to require a one-time password (OTP) when a user is out of the office, and that user regularly works from home, Adaptive Authentication notices the pattern of regular logins from the same IP address/browser/operating system using OTP and eventually lets the user log in from that IP address/browser/operating system combination without MFA. However, when that user logs in from an unknown IP address, they will be required to provide their second authentication factor.
Adaptive Authentication can be enabled for higher or lower levels of security, some settings allow users to log in easily without MFA, while others make it more difficult. Additionally, during login each step is broken into a single screen which makes it easier to add or remove requirements depending on your authentication needs. Read more about multi-step login here.
Adaptive Authentication risk calculations include the following factors, among others:
- IP flagged as a threat in AlienVault Open Threat Exchange
- IP blacklisted by Project HoneyPot
- Tor network access
- Blacklisted country
- New city or country
- New browser or OS
- Infrequently used browser or OS
- New device
- Access from a new IP address
- Access at an unusual time of day
- User moved with unrealistic speed between two locations
Adaptive Authentication works with all of the MFA providers and methods supported by OneLogin, including:
- OneLogin Protect for iOS and Android
- OneLogin security questions
- Duo Security
- Google Authenticator
- Symantec VIP Access
- Yubico Yubikey
- RSA SecurID
- OneLogin OTP for Windows Phones and Windows Desktop (deprecated)
- OneLogin OTP SMS
For general information about setting up MFA for OneLogin, see Adding Multi-Factor Authentication.
Enabling Adaptive Authentication for MFA
To add Adaptive Authentication to your OneLogin subscription, contact OneLogin sales. Once OneLogin adds it to your plan, you can enable it for your users:
Log in to OneLogin as an admin.
Enable the secondary authentication factors (OneLogin Protect, Google Authenticator, etc) that you want to make available to your users.
See "Adding your authentication factor" in Adding Multi-Factor Authentication.
Go to Settings > Policies to add a new User Policy or update an existing one.
Click the New User Policy button or select a policy from the table.
Go to the MFA tab.
Enable OTP Auth Required.
Select the Available factors you want users on this policy to access.
In the Users without MFA device must register one before logging in field, enable or disable the requirement for users to register a MFA device during the login process. The default setting is enabled. When disabled, users who do not have a registered device will not be able to register one or log in.
In the OTP bypassed for the following IP addresses field, enter the IP addresses that won't require MFA for users on this policy.
In other words, create a whitelist of IP addresses that your users can log in from without providing a second authentication factor. Adaptive Authentication will always let users log in without a second authentication factor from these IP addresses.
Tip. It may seem that whitelisting your office IP addresses is a no-brainer. But consider this. If you don't whitelist IPs for your office, but let Adaptive Authentication take care of figuring out that logins from that IP address are safe, then when a non-employee tries to log in from that IP address, they would be challenged for a second authentication factor because their browser/OS isn't recognized. You're more secure than you would be if you use IP address whitelisting.
Set OTP required for to one of the following:
- Administrator Only: Only requires second authentication factor for Super Users and Account Owner.
- Configured Users Only: Only requires second authentication factor for end users who have already manually added and configured an authentication factor.
- All Users: Requires second authentication factor for all users. Users will be prompted to set up an authentication factor when they try to log in to OneLogin.
Set OTP required at to At every login.
The Unknown browsers option is not recommended when using Adaptive Authentication, which already recognizes unknown browsers and includes them in its risk calculations.
Under Adaptive MFA, select Enable and select the Risk level you are willing to accept:
Adaptive Authentication scores the risk of each login attempt on a scale of 0-100 and compares the calculated risk score to the maximum level you're comfortable with:
No calculated risk: Not willing to accept any risk at all. Require MFA if the login risk factor is scored between 0 - 4. Login attempts that fit a pattern of behavior that machine learning recognizes over time as safe (for example, the user is logging in from their home IP address/OS/browser) will eventually be calculated as less than 5. Most logins will require MFA.
Low calculated risk: Willing to accept a low level of risk. Require MFA if the login risk factor is scored between 5 - 25. This is less strict than No calculated risk. MFA is more than likely required with user login.
Medium calculated risk: Willing to accept a medium level of risk. Require MFA if the login risk factor is scored between 26 - 50. This is less strict than Low calculated risk. MFA requirement is less likely with user login.
Assign the user policy to a Group or to individual users.
See "Assigning MFA security policies to Groups" and "Assigning MFA security policies to individual users" in Adding Multi-Factor Authentication.
Monitoring Risk Calculation and Login Events
For users on policies that use Adaptive Authentication for MFA, every login-related event records the risk calculation, risk reasons, and whether login was passed through with or without a second-factor challenge.
The screenshot below shows a login event for a user on a policy with Risk level set to Low (calculated risk between 5 - 25 results in MFA requirement). Because the risk level for the login attempt was calculated as 34, the user was challenged for a second authentication factor.
You can view these events in either of the following ways:
Go to Users > All Users, select a user, and go to the MFA tab.
Select a login event and view the event details.
Go to Activity > Events, select a login event, and view the event details.