Enable Identity Confirmation Methods for a Risk-Based Authentication Policy

If your deployment uses risk-based authentication (RBA), you must enable at least one identity confirmation method. RBA is a multifactor authentication solution that strengthens traditional password-based systems by applying knowledge of the client device and user behavior to assess the potential risk of an authentication request. If the assessed risk is high, the user is challenged to further confirm his or her identity using one of the following methods:

  • On-demand authentication (ODA). The user must correctly enter a PIN and a one-time tokencode that is sent to a preconfigured mobile phone number or e-mail account.

  • Security questions. The user must correctly answer one or more pre-enrolled security questions.


  1. In the Security Console, click Authentication > Policies > Risk-Based Authentication Policies > Manage Existing.

  2. Click the policy that you want to configure, and select Edit.

  3. In the Identity Confirmation Methods section, select the methods that you want to enable.

  4. Click Save.

After you finish

  • If you selected ODA, you need to configure an on-demand tokencode delivery method. For instructions, see Configure On-Demand Tokencode Delivery.

  • The user must configure the enabled method during logon (if prompted), or in the Self-Service Console. For more information, see Device History for Risk-Based Authentication.

  • If you enable more than one method, the user can configure one or both methods. When both methods are configured, the user can choose either method when providing identity confirmation.

Related Concepts

Managing Security Questions