Skip to main content
Workforce

Manage authentication rules

Use authentication policies to define actions that trigger during authentication requests when they meet specific conditions for specified events.

Create a new policy

  1. In your Workforce workspace, from the left navigation, click Authentication > Auth Rules. Create a new authentication rule policy

  2. Click Create New Policy. Name the authentication rule policy

  3. Configure the Policy Information section with your policy details.

  4. Set conditions in the When section that will trigger the policy action.

  5. Select the Action you want the policy to take when conditions are met.

  6. Save your changes.

Policy Information

Use the Policy Information section to configure basic policy settings and specify which events and applications the policy affects.

Policy Information section

Name
Name of policy.

Description
(Optional). Description of policy.

Event
Select the event on which the policy will be evaluated. Available options:

  • Authentication – Policy applies to first-time authentication events and continuous authentication events.

    For example, a user logs in to an application and it provides continuous authentication access when the user switches to another application while still logged in.

  • Enrollment – Policy applies when users access the system for the first time and need to complete initial setup requirements.

    For example, when a user logs in for the first time, it forces device pairing with a mobile app.

  • Passkey Enrollment – Policy applies when users are enrolling passkey devices and enables administrators to enforce restrictions on which devices can be used.

    For example, you can restrict passkey enrollment to only allow specific authenticator types or block certain device models based on security requirements.

Applications
To universally apply this policy to all applications, select the Apply to All Applications check box.

Otherwise, select the applications to which the policy applies from the list. For example, the User Portal.

Enabled
To make this policy active, select the Enabled check box.

When

Use the When section to set conditions that determine when the policy action triggers.

When section conditions

When an authentication or enrollment event meets all the condition predicates, the policy triggers. Multiple conditions use AND logic.

Always
Apply this policy in all circumstances for the specified applications and event.

For example, you want to temporarily disable MFA for all users.

Always condition selection in When section

Overall LOA Score
Set the LOA Score Range for the LOA score to trigger the policy action.

It will trigger an action when the LOA score is either greater than or equal to or less than or equal to a specified value.

For example, if you set a greater than or equal to score as 3 and select the Auto Approve action for the policy, then it will allow the user to log in without MFA. That is, if the user meets the LOA score of 3 or greater.

Overall LOA Score condition

Directory Groups
Specify one or more user groups for this policy based on your selected user directory.

Select the user directory from the Search Groups In dropdown. Depending on the directory type you select, additional configuration options may appear, such as checkboxes to include built-in groups or distribution lists.

The policy triggers when the authenticating user belongs to any of the specified groups.

Directory Groups condition

Network
Set conditions based on the user's IP address.

You can specify one or more IP addresses or a range of IPs using CIDR notation. You can separate them by commas, like 1.2.3.4,1.2.3.5,1.2.10.0/24.

Network condition configuration

Country
Determine access based on whether the user is or is not in a specified country.

If you specify more than one country, then it invokes the policy action when the user is in any of the selected countries.

Select the Include mobile location check box to also evaluate the geographic location of the user's mobile device in addition to their network location.

Country condition selection

Password Last Used
Set conditions based on when the user last used their password for authentication.

Configure whether the condition triggers when the password was used greater than or equal to a specified number of days ago. This allows you to enforce periodic password usage by requiring users to enter their password after a specified time period.

Password last used condition

Passkey Device Type
Set conditions based on the type of passkey device the user is attempting to register.

Use the search field to select specific passkey device types that you want to reject. This uses a deny-list approach, allowing all passkey device types except those specified in the policy with the Automatically Reject action.

Passkey Device Type condition

Timezone Offset Delta
Set conditions based on timezone differences between the user's device and their IP location.

Configure the threshold in minutes for when the condition triggers if the difference between the DBFP timezone offset and the authentication request IP timezone offset is greater than or equal to the specified value. This helps detect potentially suspicious login attempts where the user's device timezone doesn't match their apparent geographic location.

Timezone Offset Delta condition

Time of Day
Use time and day patterns to control when users can authenticate. You can specify both time ranges and days of the week.

For example, when you combine this with the Country condition, you can increase friction for users located in a specific country when they try to access the system outside of business hours or during the weekend.

Time of Day condition configuration

Login to other applications
Set conditions based on applications the user has logged into within a specified time period.

To meet this condition only when the user is coming from the same IP address for each application, select the Require matching IP address check box.

For example, you can define a policy to auto-approve a user authentication request to a web application if the same user has used MFA to their Windows machine from the same IP address within the past 5 minutes.

Login to other applications condition

Paired Desktop Workstation
Set conditions based on whether the user has a paired workstation with specified configurations. The policy triggers only when all specified fields match.

This provides granular control over when to apply this policy.

Paired Desktop Workstation condition

If you use this condition, you must choose at least one item. You can use any of the following conditions:

  • Workstation State – Select the status of the workstation at the time of the authentication event. Options are: Logged In, Logged Out, Locked, Unlocked, Login Failed.
  • Workstation Name – Enter the name of the workstation or enable Regex to create a matching pattern.
  • Public IP – The public IP address of the workstation where the authentication attempt originates.
  • Network Interface MAC – The network interface MAC address of the workstation where the authentication attempt originates.
  • Auto Updates – Check if the workstation has operating system automatic updates enabled. Options are Doesn't Matter, Enabled, or Disabled.
  • User Password – Check if the workstation has password login enabled. Options are: Doesn't Matter, Enabled, or Disabled.
  • Secure Boot – Check if the workstation has secure boot enabled. Options are: Doesn't Matter, Enabled, or Disabled.
  • User Name – Enter the login username or enable Regex to create a matching pattern.
  • LAN IP – The local IP address of the workstation where the user login originates.
  • Gateway MAC – The gateway MAC address of the network where the workstation login originates.
  • Bitlocker – Check if the workstation has Bitlocker enabled. Options are: Doesn't Matter, Enabled, or Disabled.
  • Firewall – Check if the workstation has a firewall enabled. Options are: Doesn't Matter, Enabled, or Disabled.
  • Operating System / Version – Check if the condition applies to a specific operating system of workstations. Options are: Any, Windows, or macOS.

Login Type
Set conditions based on the authentication method the user is attempting to use.

Select one or more login types from the available options: OAuth Federation, Password Login, Passwordless Login, or QR Code Login. The policy triggers when the user attempts to authenticate using any of the specified login methods.

Login Type condition

Security Escalation Request
Set conditions based on when users are attempting to perform security-sensitive operations.

Select the secure operation from the list (such as Reset Password) that will trigger this policy. This allows you to apply additional authentication requirements when users attempt high-risk actions that require elevated security verification.

Security Escalation Request condition

Last MFA
Set conditions based on whether the user has already completed multi-factor authentication using specific methods in the current session.

Select the out-of-band MFA methods from the list that will trigger this policy. This allows you to modify authentication requirements based on which MFA methods the user has already used during their current session.

Last MFA used condition

User-Defined Condition
This predicate gives you the highest level of customization. You can create a predicate using the Ruby programming language.

For example, for this Network predicate on the UI, you can write this in Ruby as custom predicate:

IPAddr.new('10.20.30.0/24').include?(context.auth_request.ip_address)

User-Defined Condition

Actions

Use the Actions section to specify what happens when policy conditions are met.

  • For Authentication events, select an action for the policy:

    • Automatically Approve – Automatically approve the authentication request and skip MFA.
    • Automatically Reject – Automatically reject the authentication request and block user access.
    • Force Out Of Band – Override all current rules and force user to complete MFA.
    • Adjust LOA Score – Increase or decrease the user's LOA score based on your organization's needs.

Authentication event action options

  • For Enrollment events, select an action for the policy:

    • Require Device Pairing – Force user to pair their mobile device. User must pair if they are authenticating for the first time or if their device is not currently paired.
    • Adjust LOA Score – Increase or decrease the user's LOA score based on your organization's needs.

Enrollment event action options

  • For Passkey Enrollment events, select an action for the policy:

    • Automatically Approve – Allow enrollment of the specified passkey device types (currently disabled until exposed in a future release).
    • Automatically Reject – Block enrollment of the specified passkey device types while allowing all others.

Passkey Enrollment event action options

How authentication actions are prioritized

When multiple policies apply to the same transaction, the system processes actions in the following priority order:

  1. Automatically Reject – If one or more matching policies have this action, the system rejects MFA and denies user access.

  2. Force Out of Band – If no reject actions apply and one or more matching policies have this action, the system sends MFA to the user.

  3. Automatically Approve – If neither reject nor force actions apply and one or more policies have this action, the system automatically approves MFA for the user.

For example, if five different policies match the current conditions and one has "Automatically Reject," the system rejects user access regardless of other policy actions.