Specops policies are collections of multi-factor authentication rules
for the basic functionality of Specops Authentication. Separate policies can be configured for different Specops Authentication applications, as well
as for the administrators for authentication for Authentication Web.
Configuring a policy
To configure a policy, click Configure next to each policy to set
its authentication requirements.
- Click Configure or Edit Authentication Rules.
-
Move any of the identity services you want to use from the
Unselected Identity Services box on the right to the
Selected Identity Services on the left by clicking the plus-icon next to the identity service.
-
You will need to assign a weight (star value) for each selected
identity service. This will allow you to assign a higher value to
those identity services you believe provide a higher level of
security. For instance, assigning the Specops Authenticator with 2
stars, would be equivalent to two identity services worth 1 star.
Please refer to the Identity service weight assignment page
for additional guidance.
-
To require the user to use a specific identity service, select the
Required checkbox.
- Configure the required weight (stars) for enrollment.
-
Configure the required weight (stars) for authentication.
NOTE
The number of stars required for authentication must be equal to,
or less than the number of stars required for enrollment.
-
To complete the enrollment or authentication process, the user will
need to fill the star bar with the number of stars set by the policy.
- Click Save when you are done.
Note that policies can also be affected by the settings for
Geoblocking, and
Trusted Network Locations.
Removing an identity service
To remove an identity service from a policy, do the following:
- Click Configure or Edit Authentication Rules
-
Remove any of the identity services from your policy by clicking the minus-icon next to the identity service. The identity service will be moved to the Unselected Identity Services box on the right.
Policy configuration best practices
When configuring policies for multiple Specops applications
(uReset, Authentication for O365, and Key Recovery) it is important to bear in mind that certain configurations
can adversely affect the enrollment process for users.
When policies for different applications are set up requiring different
identity services, the user will have to identify with more services in
order to fulfill the requirements for all applications. Configuring
policies to use the same set of identity services will shorten the
enrollment process for users.
For more information on enrollment, please refer to the
Best Practices document.
Weak identity services
Due to the nature of some (self-enrolled) identity services, they are
deemed weaker than others. The identity services listed below are
considered weak:
- Security questions
- Mobile Code (SMS)
- Personal Email
Enrollment security modes
When users enroll for the first time, they will have to identify
themselves by providing their Windows password. Subsequent changes to
enrollment (re-enrollment) will require identification with one
previously used identity service in addition to their Windows password,
if the security mode is set to Medium or High.
There are three security modes available to administrators: Low
security, Medium security, and High security. These security modes
reflect the relative strength of the policies configured, and determine
in part which identity services the user needs to re-enroll with
(whenever users need to change their enrollment).
Low security
Users are only required to provide their Windows password for
identification.
Medium security
Upon re-enrollment, users are required to identify with one previously
used identity service in addition to their Windows password.
High security
Upon re-enrollment, users are required to identify with one previously
used strong identity service, or two weak ones (in case they have not
enrolled with any strong identity services), in addition to their
Windows password. Weak identity services, such as security questions,
will not be presented to the user as an option, unless they have
enrolled only with weak identity services.
Note: users will be presented with indentity services for
(re-)enrollement if the user has been previously enrolled with said
service, and it is part of a policy affecting the user. The
user’s Windows identity is always part of the (re-)enrollment procedure.
Note:the low or medium modes are set automatically, depending on
the policy configurations. High security mode has to be enabled by
administrators in order to enforce re-enrollment with strong identity
services.
Auto-enrolled identity services and security modes
For medium- and high security modes, users who are affected by policies
that include auto-enrolled identity services, such as Duo Security and Okta, will have to authenticate with the auto-enrolled identity
service on the enrollment page. This means that users will have to have
their enrollment with Duo Security or Okta in place before they can enroll
with Specops Authentication
.
Lockout settings
The identity services Mobile Code (SMS), Email, and
Personal Email can be configured to be locked out after wrong
inputs by the user. To configure these lockout settings, go to the
Identity Services menu in Authentication Web, and click on the
settings icon next to the identity service in question. The following
can be configured:
- Lockout threshold: determines how many times wrong input can be
provided.
- Lockout duration in minutes in minutes: determines how long the identity
service will be locked out for.
Trusted Network Locations setting
When this setting is enabled, users can only enroll when authenticating
from one of the Trusted Network Locations specified by administrators.
For more information, see
Trusted Network Locations.