The risk-based authentication (RBA) message policy defines the message that users see when they are prompted to configure their identity confirmation method. You might use this message to inform users about why they need to configure an identity confirmation method. This message displays when all of the following conditions exist:
The user authenticates to a web-based application, such as an SSL-VPN, thin client, or web portal.
The user has not configured an identity confirmation method.
The user attempts to authenticate using a high assurance device.
You can assign an RBA message policy to any security domain. A deployment can have multiple RBA message policies, which you assign by editing the security domain. Security domains use the deployment’s default RBA message policy until you assign a different RBA message policy.