Methods for Enabling Users for Risk-Based Authentication

A user must be enabled for risk-based authentication (RBA) to access an RBA-protected resource. Use one of the following methods:

Automatic. When a user accesses an RBA-protected resource, the user becomes enabled for RBA automatically after the first successful authentication. For instructions, see Enable Users Automatically for Risk-Based Authentication.

Manual. Only specified users can access RBA-protected resources. An administrator must manually enable these users for RBA. For instructions, see Enable Users Manually for Risk-Based Authentication.

Note: Users you enable for RBA are counted against the RBA limit in your license.

Enable Users Automatically for Risk-Based Authentication

For a user to access a network resource that is protected by risk-based authentication (RBA), you must enable the user for RBA. Use the following procedure to enable users for RBA automatically after successful authentication. You can also enable users for RBA manually.

Users you enable for RBA are counted against the RBA limit in your license.

Before you begin

Verify that the RBA policy does not require manual user enablement.

Procedure

  1. In the Security Console, click Authentication > Policies > Risk-Based Authentication Policies > Manage Existing.

  2. Click the policy that you want to configure, and select Edit.

  3. Under Enablement and Assurance Settings, do one of the following for Automatic Enablement:

    • To enable users for RBA automatically after successful authentication, select Allow system to enable users for RBA automatically during authentication.

    • To disable this feature and permit only manual enablement, clear Allow system to enable users for RBA automatically during authentication.

  4. Click Save.

Enable Users Manually for Risk-Based Authentication

A user must be enabled for risk-based authentication (RBA) to access a network resource that is protected by RBA. Use the following procedure to enable users manually for RBA.

Enabling users for RBA does not automatically enable RBA. For example, if security questions is specified in the RBA policy, the user needs to answer the security questions in order to meet the RBA policy requirements.

Before you begin

Verify that the RBA policy does not allow automatic enablement. For instructions, see View a Risk-Based Authentication Policy.

Procedure

  1. In the Security Console, click Authentication > Risk-Based Authentication > Enable Users.

  2. Use the search fields to find a user that you want to enable for RBA. Some fields are case sensitive.

  3. Use the checkboxes to select one or more users that you want to enable for RBA, and click Enable for RBA.

  4. On the Confirmation Required page, click Yes.

Device History for Risk-Based Authentication

For risk-based authentication (RBA), the system maintains a device history for each user. The device history is a list of user authentication devices from previous successful logons. Once added to the list, the device is considered to be registered. When the user tries to access an RBA-protected resource using a registered device, the authentication attempt is likely to have a higher assurance level.

User authentication devices are the physical devices from which the user requests access to an RBA-protected resource. They include computers and mobile devices, but do not include authenticators.

During silent collection, the system adds all authentication devices to the user's device history automatically. When silent collection expires or is disabled, the system saves all devices to the device history automatically, or prompts the user to choose to add the device to the device history, depending on the RBA policy settings.

To manage the device history, you can:

Device Settings for Risk-Based Authentication

For risk-based authentication (RBA), the system uses device history as a factor in determining risk. The device history is a list of user authentication devices from previous, successful logons. The system maintains a device history for each user. Once added to the list, the device is considered to be registered. When the user tries to access an RBA-protected resource using a registered device, the authentication attempt is likely to have a higher assurance level. When the user attempts to logon with an unknown device, the system challenges the user for identity confirmation. If the logon is successful, the new device is added to the user’s device history list.

You specify how the system registers and manages user’s devices for RBA. You can configure the following client device settings.

Setting

Description

New device registration

Authentication Manager can register a new device automatically or ask users if they want to register the device. If you expect users to access RBA-protected resources from public or shared devices, allow them to decide which devices they want to register.

Total registered devices

You can set the maximum number of registered devices preserved in each user’s device history. If the number of registered devices exceeds the limit, the nightly cleanup job deletes the least recently used devices.

Unregister devices

You can specify when inactive devices are removed from a user’s device history. For example, you can specify that devices are removed from a user’s device history after 60 days of inactivity. Consider the needs of all your users. Although most users might use the same client devices frequently to access RBA-protected resources, some users might only use public client devices infrequently.

Related Concepts

Risk-Based Authentication