Configure the Level of Assurance (LOA) threshold
The Level of Assurance (LOA) threshold determines the confidence level required for authentication. If a user's real-time LOA falls below the set threshold, they must verify their identity with a second factor.
-
Go to Sign-in and Sign-up settings.
-
Tenant level: Go to Tenant Settings (gear icon) > Identity Pools > [Selected Identity Pool] > Sign-in and Sign-up.
-
Workspace level: In your workspace, go to Users > Sign-in and Sign up.
-
-
Expand the Sign-in section and locate the Level of assurance threshold setting.
-
Adjust the slider to set the required confidence level.
Level of Assurance Threshold (LOA)
Defines the minimum confidence level required for authentication. If the real-time LOA falls below this threshold, users must verify their identity with a second factor.
Recommended ranges:
Low (30%)
Low confidence in identity verification. The user may be new or logging in from an unknown device.
Medium (60%)
Moderate confidence. Repeated logins from the same device increase LOA over time.
High (80%)
Strong assurance. Indicates high trust in the user's identity based on device characteristics.
To learn more, see Risk Engine: Smarter security in action and Risk analyzers.
- Save your changes.
Understanding LOA threshold levels
Recommended threshold levels
Low (30%) - Minimal Security
When to use: Low-risk applications or when user convenience is prioritized.
User experience: Rare MFA prompts, even from new devices.
Security considerations: Users may be new or logging in from unknown devices with minimal additional verification.
Medium (60%) - Balanced Security
When to use: Standard business applications requiring moderate security.
User experience: MFA required for suspicious activity, but trusted devices build confidence over time.
Security considerations: Moderate confidence level. Repeated logins from the same device increase LOA over time.
High (80%) - Maximum Security
When to use: High-security environments, sensitive data access, or compliance requirements.
User experience: Frequent MFA prompts until strong device trust is established.
Security considerations: Strong assurance in user identity based on comprehensive device characteristics and behavior patterns.
Threshold selection guide
| LOA Level | Security Need | User Impact | Best For |
|---|---|---|---|
| 30% | Low | Minimal MFA prompts | Public-facing apps, convenience-focused |
| 60% | Medium | Balanced security/UX | Standard business applications |
| 80% | High | Frequent MFA initially | Sensitive data, compliance environments |
How LOA works
The risk engine continuously evaluates user behavior and device characteristics:
- New users/devices: Start with lower LOA scores
- Trusted patterns: LOA increases with consistent, safe behavior
- Suspicious activity: LOA decreases, triggering MFA requirements
- Device recognition: Familiar devices gradually build higher confidence
Best practices
Security recommendations
- Start conservative: Begin with medium (60%) and adjust based on user feedback
- Monitor patterns: Review authentication logs to optimize threshold settings
- Consider user types: Different user groups may need different LOA requirements
User experience considerations
- Communicate changes: Inform users about new security measures
- Provide alternatives: Ensure multiple MFA options are available
- Monitor support requests: Watch for increased authentication-related help desk tickets
Troubleshooting
Common issues
| Issue | Symptom | Solution |
|---|---|---|
| Too many MFA prompts | Users complain about constant authentication | Lower the LOA threshold or check risk analyzer sensitivity |
| Insufficient security | Unauthorized access from suspicious sources | Raise the LOA threshold and review risk engine settings |
| Inconsistent behavior | MFA requirements seem random | Review risk analyzer configuration and device trust policies |
Monitoring and adjustment
- Review authentication logs weekly for the first month after changes
- Survey users about authentication experience
- Adjust thresholds based on security incidents and user feedback
- Monitor LOA scores to understand typical user patterns