Skip to main content

Creating policies for MFA enforcement

Learn how to create a policy enforcing multi-factor authentication (MFA) in SecureAuth in order to assign it as an additional protection layer for user authentication and grant assignments.

About MFA Policies

The MFA policy, upon validation, requires the user to enhance their level of identity assurance by proving their possession of a one-time password that has been transmitted to them via either a mobile SMS message or an email. If no such proof is provided, the user request fails.

Prerequisites

  • Access to an SecureAuth tenant with Demo application and Sandbox IDP enabled for testing purposes. Your Sandbox IDP user must have MFA enabled.

  • When a non-sandbox IDP is used, IDP claims must provide the user's e-mail address and/or phone number. These claims must be mapped to their corresponding authentication context attributes: email, email_verified, phone_number, phone_number_verified. For more information, see Setting up authentication context.

Define MFA Policy

You're going to create an MFA policy which always asks for additional verification upon user login. You'll test this policy in a Demo application.

Define SecureAuth MFA Policy

The video below shows how to create an MFA policy, assign it to an application, and verify that your policy works.

Note

A similar SecureAuth policy exists in SecureAuth by default, under the name MFA User.

  1. In your workspace, select Authorization > Policies > + CREATE POLICY.

  2. In the Create Policy popup window

    1. Select the User policy type from the dropdown menu.

      Note

      SecureAuth provides several policy types in its editor. These types group policies by their intended use and therefore policy of a given type can only be assigned to its dedicated area. For example, user policy cannot be used to restrict client assignments. In case of MFA, you need to create the User policy.

    2. Specify the Policy name.

    3. Select SecureAuth as the Policy language.

    4. Select Create.

    5. Add the MFA validator in the policy editor (Add validator > Authentication factors > MFA validator). Save your changes.

      Result: Your policy is now ready and can be assigned to an application.

  3. Select Applications > Demo from the sidebar.

  4. Assign your newly created policy in the User policy field and save your changes.

  5. Log in to the Demo application and verify that the policy is applied. You should get prompted to validate yourself via one of the available MFA methods.

Define Rego MFA Policy

If you want to use MFA in a Rego policy, repeat the procedure above, but select Rego as the policy language instead of SecureAuth. In the Rego policy editor, add the following items:

  • MFA check before the policy can pass - input.login.verified_recovery_methods[_] = "mfa"

  • MFA as a recovery step - recovery = ["mfa"]

The policy below always asks for MFA verification when validated. When ready, your policy should look as follows:

package acp.authz

default allow = false

allow {
    input.login.verified_recovery_methods[_] = "mfa"
}

recovery = ["mfa"]
In this section: