Reference Material | Dynamic multi-factor authentication policies
Dynamic multi-factor authentication (DMFA) allows users to enroll and authenticate using multiple identity services. This is a flexible and secure way for users to authenticate when signing in to their Office 365 accounts. If you are an administrator, you can create and configure a policy that suits the needs of your organization. You can decide which identity services can be used to authenticate, as well as how secure each one is.
DMFA is used when signing in throughout the Specops Authentication platform. This includes:
- Managing users
- Resetting or changing user passwords
- Signing users into Office 365
- Signing in to change enrollment
When creating a DMFA policy, it is recommended that you give your users a varied choice of identity services, and that you encourage your users to enroll with as many of these as possible. The more identity services a user has enrolled with, the less likely it is they will become locked out of their account.
Example: If a user forgets the answers to their secret questions and they have enrolled with several other identity services, they can still successfully authenticate using one of these instead.
Note: When a user completes enrollment, a message is presented, asking if they would like to collect extra stars by enrolling with more identity services, beyond the required amount.
There are many different types of identity service to choose from, including:
- Social media
- Secret questions
- Mobile codes
- Fingerprint scans
Required identity services
You can mark an identity service as “required”. This means it is mandatory and your users must enroll and authenticate using it.
Example: Selecting the Required checkbox for Mobile Code and Windows Identity, will make these mandatory for all users.
Protected identity services
You can mark an identity service as “protected”. Before a user can authenticate using a protected identity service, they must authenticate using one or more other identity services first. This is to prevent external parties from attempting to gain access to a user account, by guessing the credentials.
Example: A user might choose Google Authenticator, Mobile Code, and Windows Identity during enrollment. If Windows Identity has been marked as “protected” in the DMFA policy, the user must authenticate using Google Authenticator or Mobile Code before being allowed to enter their Windows Identity credentials.
An identity service can be marked as both required and protected.
You can set the required weight for enrollment and authentication using the star bars in the Edit rules section.
Users must use enough identity services to obtain the required weight. For example: if you select 5 stars as the required weight for enrollment and authentication, users must enroll and authenticate with enough identity services to add up to 5 stars.
Note: The required weight for authentication cannot be higher than the required weight for enrollment. This is to give users as much flexibility as possible. If a user is suddenly unable to authenticate with one particular identity service, they can use one of the others they enrolled with instead.
Example: You could create a policy that requires a user to enroll with 3 identity services, but they only need to authenticate using 2. If a user enrolls with Mobile Code, Secret Questions, and Google, and they are suddenly unable to authenticate using Mobile code, because their phone malfunctions, they can still authenticate using their secret questions instead.
You can set the weight for the different identity services to represent their relative security level. Select the weight by turning on the desired number of stars.
Example: You might decide that Mobile Code is worth 3 stars, Mobile BankID is worth 2 stars, and Google Authenticator is worth 1 star, and so on.
Note: By default, the maximum weight that can be assigned to each identity service is 3 stars. You can increase this to a maximum of 5 stars, if you want to make an identity service more secure. This is done using the – or + buttons at the bottom of the page.
When you increase the maximum weight per identity service, it increases the number of stars available on the Required Weight for Enrollment and Required Weight for Authentication star bars at the top of the page.
Example: If the maximum weight per ID service is set to 4, there will be 16 stars on the Required Weight for Enrollment and Required Weight for Authentication bars.
Configuring a policy
- In the Specops Gatekeeper Admin tool, in the Useful Links section, click the Admin Pages link.
- Sign in with your credentials.
- Click Policies.
- In the Enrollment or Admin sections, click Configure.
- Select the identity services that will be available to users. To add an identity service to the policy, select it from the Unselected Identity Services list, and it will appear in the Selected Identity Services list.
- In the Edit rules section, specify how many stars need to be collected before a user can fill the star bar and enroll, as well as the weight required for authentication. See the Weight section above.
- Set the weight for each identity service, by selecting a specific number of stars.
- Select the Required checkbox, to make an identity service mandatory. See the Required identity services section above.
- Select the Protected checkbox, to make it a protected identity service. See the Protected identity services section above.
- Click Save to save the configuration.
Adaptive Enrollment Policies
An enrollment policy (that dictates how users need to authenticate in order to change their enrollment) is adaptive.
As with all policies, an enrollment policy contains a required weight for authentication and a list of identity services that each user must choose from. As described above, in order to successfully sign in with a policy, a user must use enough identity services to obtain the required authentication weight. However, unlike other polices, enrollment policies are unique, as when signing in, users do not necessarily need to obtain the required authentication weight.
For example: If a user is only enrolled with two identity services and the enrollment policy states that a user needs to use three identity services to sign in, this user will still be allowed to sign in using their two identity services. Whenever a user has enrolled with enough identity services to satisfy the required authentication weight of the enrollment policy, signing in with the enrollment policy will be the same as other policies.
Enrollment security modes
When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.
There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).
Users are only required to provide their Windows password for identification.
Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password.
Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services.