Last active
August 29, 2015 14:17
-
-
Save srinivasanagandla-okta/31c54233b57c8a554f11 to your computer and use it in GitHub Desktop.
MFA Policies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Assumptions: | |
| 1. There would be a "Default" SignOn Policy that "ALLOW" by default on successful authentication | |
| 2. There would be a "Default" MFA Policy thats allows "ALL" configured factors to be enrolled/challenged | |
| Policy Configuration Flow: | |
| 1. Admin configures "Sign-on" Policy with "factor required" rule | |
| 2. Admin then configures "MFA" Policy with list of allowed factors for the Groups | |
| 3. (Nice to have) There should be a "Find Policy" button to preview which policy would be evaluated given a User Group / Users | |
| Policy Evaluation Flow: | |
| 1. After authentication, sign-on poliy would be evaluated | |
| 2. As part of sign-on policy if it requires factor then it evaluates "Enroll MFA" Policy to determine which factors are allowed for User | |
| 3. If User is enrolled in any of those factors then those are used for "Challenge" | |
| 4. Otherwise User is prompted to enroll in atleast one of the factors | |
| Future Extensions to "MFA" Policy: | |
| 1. Determine the list of mandatory vs optional factors to be enrolled | |
| 2. Determine the order of factors that can be used for challenge | |
| 3. Determine which factors can be used given the current authentication context | |
| 4. Set Lockout policy specific to each of the factors | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment