Multi-factor authentication (MFA) is a well-known security practice that requires users to pair something they know with something they possess before gaining access to their accounts and other types of sensitive information. MFA helps to safeguard against threats arising from compromised credentials. EmpowerID recognizes this, and has implemented an Adaptive MFA engine that provides an extra layer of security for all types of authentication, including Web SSO, LDAP and RADIUS. EmpowerID's MFA is "adaptive" in that it can be configured to analyze contextual information such as IP addresses, identity providers, devices, distance traveled and velocity since last login and other real-time factors to dynamically assess the risk of each login. If a risk is identified, a strong second factor can be required before access is granted. These factors, known in EmpowerID as "MFA methods" or "MFA Types," include many popular factors in use today, like DUO Push, YubiKeys and one-time passwords delivered to a person's favorite communication medium.

In addition to the Adaptive Authentication, which can deny login or require Multi-factor authentication, EmpowerID includes standard MFA policies. In EmpowerID, MFA is a flexible, points-based or Level of Assurance (LoA) system that is easy to configure. Administrators define a specific number of points, known as "trust or MFA points or LoA," and apply those points to Password Manager policies, MFA methods, IP address ranges, identity providers and other objects in EmpowerID to provide a target point number for authenticating to EmpowerID, as well as for accessing any third-party applications secured by EmpowerID. Depending on how EmpowerID is configured, users may be required to pass through a number of checkpoints and be required to submit additional biographic information before gaining access to resources. Checkpoints can include the user's IP address, the selected identity provider and the Password Manager policy assigned to the user.

From a high level, the below image shows what a typical standard MFA scenario could look like. In the scenario, there are three possible outcomes based on the combination of a configured IP Address Range of blacklisted IP addresses and Password Manager policies:


In the above scenario, users encounter three checkpoints: The IP Address checkpoint, the Identity Provider checkpoint and the Password Manager policy checkpoint. Each of these is discussed in greater detail below.

IP Address Checkpoint

One component of EmpowerID's Adaptive MFA engine is the IP Address checkpoint. This checkpoint is the initial gate through which users must pass before gaining access to the EmpowerID Login page. IP Address checkpoints are comprised of special objects you create, known as IP Address Ranges. IP Address Ranges allow you to define the login options available to users accessing your portal from any device that falls within the specified IP address range. EmpowerID provides three IP address range types that you can configure. These include the Internal, External and Blacklisted ranges. When you create an IP address range, you choose the type and specify the beginning and ending IP addresses for that range. Once you create the IP address range, you can apply it to your Password Manager policies and any federated applications you may use. Usage examples could include:

If you do not create any IP address ranges, EmpowerID treats all login attempts as originating from outside your network (external logins). This is important to note in the event your login policy requires multi-factor authentication and you have set the number of trust points differently for internal versus external users. In this case, EmpowerID would consider your network users to be external and require them to accumulate the trust points you set for external users. See Creating IP Address Ranges for more information.

Identity Provider Checkpoint

Another component of EmpowerID's Adaptive MFA engine is the Identity Provider checkpoint. The Login page is the second gate through which users must pass before gaining access to EmpowerID. The Identity Provider checkpoint is a selection of SSO connections that you can create for third-party identity provider applications that support the use of OAuth 2 for identity transactions. This allows you to offer users the ability to authenticate to EmpowerID using the credentials from any OAuth Consumer application in which you establish a trust relationship. EmpowerID provides a number of templates configured out of the box for use with popular OAuth consumer applications like those listed below. In addition, EmpowerID provides a generic template that you can use as a starting point for building your own custom connections.

You can assign an MFA type for each application so that it gets the trust point value for that authentication type. For more information, see Assigning MFA Types to Applications. EmpowerID adds trust points for the Identity Provider to the tally and passes them along to the password manager policy.

Password Manager Policy Checkpoint

The final checkpoint is the Password Manager Policy. The policy defines login restrictions, password complexity requirements, self-service password reset options, and enrollment requirements that govern a user's ability to manage their own passwords or log in to EmpowerID or any application using EmpowerID for login protection. You can create custom policies or use the default Password Manager Policy that is applied to the entire enterprise. The Authentication Settings in each policy is where the number of MFA points required to log in from local or remote subnets is defined. Depending on the MFA points required, the user may be authenticated or sent for further authentication. For more information, see Setting Up Password Manager Policies and Assigning Adaptive Authentication Rules to Password Manager Policies.


Next Steps

Set MFA points on policies

Assign MFA Types to Password Manager Policies

Assign Adaptive Authentication Rules to Password Manager Policies

Set MFA points on applications

Assign MFA Types to applications

Assign Adaptive Authentication Rules to applications

Edit MFA Type point values

Set MFA points granted by SSO connections

Configure EmpowerID for the Mobile app

Integrate DUO Two-Factor Authentication

Integrate Yubico OTP

Customize MFA Retry Limit

Configure MFA Communication options

Enable Passwordless Login

Register VASCO Hardware OATH tokens

Configure the EmpowerID RADIUS server