PolicyAuthnConditions

Authentication Policy conditions allows to create, modify, duplicate and delete authentication risk conditions that evaluate criteria against the authentication request. Risk-based authentication is a mechanism for approving a user’s identity accompanied by measures that estimate the potential risk at the moment of authentication itself. What differentiates traditional authentication from risk-based authentication is the assignment of conditions to certain resources to determine whether or not an incoming request represents a threat.

  • There are two groups of risk conditions:

    • User-unaware conditions

    • User-context-aware conditions

  • When you configure user-unaware conditions, you do not build them on top of parameters of the user but above the ones contained in the environment. They are usually strictly resolvable. For example, the system is able to determine whether the current time belongs to the defined interval or whether the IP address is within the specified range. Therefore, the risk level represented by the condition is either used as it is or not. The situation with user-context-aware conditions is more complicated.

  • First, the evaluation of this kind of condition is possible only when DirX Access obtains information that describes the authenticating subject. For example, after inserting credentials in the login dialog: immediately after this action, DirX Access determines who is trying to authenticate and whether or not this subject’s properties are in conflict with any related condition.

  • Secondly, user context represents data gathered from a user during a wider time scope than one request and determining statistical resolution of conditions.

  • Risk level is thus computed from the probability of match given by condition evaluation. It is computed as: (1 - Confidence of match) * Configured risk level To summarize in a short example: suppose we have a regular employee who works five days a week, arriving at the office usually at eight and leaving around four in the afternoon. The employee works with company’s system and logs-in in the morning and after lunch. The probability that this employee will perform the login action is high at these times, whereas it is mostly improbable during weekends and at night. To fill the equation, imagine that we have the condition set to assign a risk level of 10 if the access time deviates from the norm. If our employee logs into the system on a workday at a regular time (Confidence of match is 95%) the result might be something like (1 - 0.95) * 10, which gives us a final risk level of 0.5 which should be a low number in relation to the required authentication.

  • The Login Failures Risk Condition and Login Interval Risk Condition functions are determined by the correct settings of the server and subject template. If you have write access to the User repository, make sure that you have set the "DirX Access number of consecutive login failures" and "DirX Access login date" attributes in the Subject template of Persistent data from Internal Subject Representation, as these values will be used to store relevant data.

  • If you do not have write permission to the User repository, make sure that the attributes in the subject template are left unset or correct condition operation cannot be guaranteed.