Add a Risk-Based Authentication Policy

Risk-based authentication (RBA) is a multifactor authentication solution that strengthens traditional password-based systems by applying knowledge of the client device and user behavior to assess the potential risk of an authentication request. The RBA policy determines how RBA works in each security domain.

In a replicated deployment, changes to policies might not be immediately visible on the replica instance. This delay is due to the cache refresh interval. Changes should replicate within 10 minutes. To make changes take effect sooner on the replica instance, see Flush the Cache.

Before you begin

Understand the concept of minimum assurance level. For more information, see Minimum Assurance Level.


  1. In the Security Console, click Authentication > Policies > Risk-Based Authentication Policies > Add New.

  2. Under RBA Policy Basics, do the following:

    1. In the RBA Policy Name field, enter a unique policy name. Do not exceed 128 characters.

    2. (Optional) If you want to make this the default RBA policy for the deployment, select Set as default RBA policy.

    3. (Optional) Add any notes in the Notes field.

  3. Under Enablement and Assurance Settings, do the following:

    1. (Optional) If you want to automatically enable users for RBA after successful authentication, select Allow system to enable users for RBA automatically during authentication in the Automatic Enablement field.

    2. In the Minimum Assurance Level field, select the assurance level that is required to authenticate without prompting for identity confirmation. The system determines the assurance level of each authentication attempt based on the user’s profile, authentication device, and authentication history. The higher the level, the greater the chance that the user will be prompted for identity confirmation. The default setting is Medium.

      Note: Changing this setting may affect how often users are prompted to confirm their identity.

  4. Under Device Registration and Identity Confirmation Settings, do the following:

    1. For Silent Collection Period, do one of the following:

      • To enable silent collection, select Allow silent collection. Enter the number of days to enable silent collection for each user.

      • To disable silent collection, select Do not allow silent collection. This is the default setting.

    2. For Identity Confirmation Methods, select the methods to make available to users if an authentication request does not meet the minimum assurance level. You must select at least one method. If you select two methods, the user chooses which method to use.

    3. For New Device Registration, select one of the following to register a user's device.

      • To add a device automatically, select Register the user authentication device automatically after successful authentication.

      • To allow the user to choose whether to add a device to the device history, select Prompt the user to choose whether the system registers the device after successful authentication. This is the default setting.

      Note: Select this option if users will access RBA-protected resources from shared or public computers.

  5. Under Device Administration Settings, do the following:

    1. In the Total Registered Devices field, enter the maximum number of registered devices preserved in each user’s device history.If the number of registered devices exceeds the limit, the nightly cleanup job deletes the least recently used devices.

    2. In the Unregister Devices field, enter the number of consecutive days that a device can remain inactive before the system removes it from the user device history.

  6. Click Save.