Policies

Specops policies are collections of multi-factor authentication rules used by Specops Authentication. This page describes how to configure the policies for authentication when signing in to the Specops Authentication Admin pages, see Configuring a Policy. It also explains how to set the enrollment security mode for administrators, see Enrollment Security Modes.

Separate policies can also be configured for individual Specops Authentication products.

Configuring a Policy

To configure a policy and include the identity services:

Login to the Specops Authentication Web and click on Policies in the left navigation.
Click Configure next to each policy to set its authentication requirements.
Click the plus-icon for those identity services you want to include in the policy.
You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. Please refer to the Identity service weight assignment page for additional guidance.
To require the user to use a specific identity service, select the Required checkbox.
Configure the required weight (stars) for enrollment.
Configure the required weight (stars) for authentication.

Note

The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
Click Save when you are done.

Note

Policies can also be affected by the settings for Geoblocking, and Trusted Network Locations.

Removing an Identity Service from a Policy

To remove an identity service:

Click Configure.
Remove any of the identity services from your policy by clicking the minus-icon next to the identity service. The identity service will be moved to the "Unselected Identity Services" box on the right.

Policy Configuration Best Practices

When configuring policies for multiple Specops applications (uReset, Authentication for O365, and Key Recovery) it is important to bear in mind that certain configurations can adversely affect the enrollment process for users.

When policies for different applications are set up requiring different identity services, the user will have to identify with more services in order to fulfill the requirements for all applications. Configuring policies to use the same set of identity services will shorten the enrollment process for users.

For more information on enrollment, please refer to the Best Practices document.

Weak Identity Services

Due to the nature of some (self-enrolled) identity services, they are deemed weaker than others. The identity services listed below are considered weak:

Security questions
Mobile Code (SMS)
Personal Email

Enrollment Security Modes

When users enroll for the first time, they will have to identify themselves by providing their Windows password. Subsequent changes to enrollment (re-enrollment) will require identification with one previously used identity service in addition to their Windows password, if the security mode is set to Medium or High.

There are three security modes available to administrators: Low security, Medium security, and High security. These security modes reflect the relative strength of the policies configured, and determine in part which identity services the user needs to re-enroll with (whenever users need to change their enrollment).

Low security: Users are only required to provide their Windows password for identification.
Medium security: Upon re-enrollment, users are required to identify with one previously used identity service in addition to their Windows password.
High security: Upon re-enrollment, users are required to identify with one previously used strong identity service, or two weak ones (in case they have not enrolled with any strong identity services), in addition to their Windows password. Weak identity services, such as security questions, will not be presented to the user as an option, unless they have enrolled only with weak identity services.

Note

Users will be presented with identity services for (re-)enrollment if the user has been previously enrolled with said service, and it is part of a policy affecting the user. The user’s Windows identity is always part of the (re-)enrollment procedure.

The low or medium modes are set automatically, depending on the policy configurations. High security mode has to be enabled by administrators in order to enforce re-enrollment with strong identity services.

Auto-enrolled Identity Services and Security Modes

For medium- and high security modes, users who are affected by policies that include auto-enrolled identity services, such as Duo Security and Okta, will have to authenticate with the auto-enrolled identity service on the enrollment page. This means that users will have to have their enrollment with Duo Security or Okta in place before they can enroll with Specops Authentication.

Lockout Settings

The identity services Mobile Code (SMS), Email, and Personal Email can be configured to be locked out after wrong inputs by the user. To configure these lockout settings, go to the Identity Services menu in Authentication Web, and click on the settings icon next to the identity service in question. The following can be configured:

Lockout threshold: determines how many times wrong input can be provided.
Lockout duration in minutes: determines how long the identity service will be locked out for.

Trusted Network Locations Setting

When the setting Only from Trusted Network Locations is enabled, users can only enroll when authenticating from one of the Trusted Network Locations specified by administrators. For more information, see Trusted Network Locations.