Step-up authentication¶
About Step-up authentication¶
Step-up authentication is a process by which an end-user is challenged to authenticate himself or herself through an extra form of authentication. The user is challenged to do this to provide a higher-level of assurance. After the user authenticated himself or herself with this extra authentication method, the authentication level is increased for the duration of the session an end-user is in. Examples of step-up authentication methods are pin, sms, e-mail, Google Authenticator (Time based one time password) and mobile authentication.
Prerequisites¶
The following prerequisites are in place to successfully configure Step-up authentication:
- The Onegini IdP instance must be running;
- Access to the Onegini Consumer Identity Access Manager.
How do I configure Step-up authentication?¶
- Login to the Onegini Consumer Identity Access Manager-> click the tab
Smart Security
-> clickStep-up authentication
. - The following window opens, consisting of three sections, explained below the screenshot:
Step-up authentication level configuration¶
In this section the authentication level for each step-up authentication method can be set:
- Pin
- Sms
- Google authenticator
- Mobile step-up authentication (push) (provided by the Onegini Token Server)
- StepUp Externally Delivered Code (letter)
Note
There are four levels of authentication. Level 1 being the lowest level of security and level 4 being the highest level of security.
Use stronger coupled identity provider¶
In this section, the option 'Use stronger coupled identity provider' is also available. In addition to the standard step-up authentication methods, like sms and email, this option enables a user to authenticate with a stronger coupled identity provider, in this case 'stronger' means a identity provider with a higher authentication level. After you enabled the option 'Use stronger coupled identity provider', the user can choose which identity provider to use to increase the authentication level on the step-up authentication page.
For example, when a user wants to log on to the website an insurance company, he uses his email address and password. However, because the insurance company keeps sensitive data, the user needs to authenticate with a even stronger method. That is why, while the user is on the step-up authentication page after logging in, the user gets the option to authenticate with his or her AppleID. The user has this possibility, because the administrator of the insurance company enabled the option 'Use stronger coupled identity provider'. AppleID in this case meets the required authentication level of the service provider.
When the option 'Use stronger coupled identity provider' is enabled, the user can use external coupled identity providers to do step-up authentication, even if no other step-up methods (like sms or email) are defined.
Note
Setting the authentication level for SAML based Identity Providers can be done through additional configuration, available in the Onegini Consumer Identity Access Manager.
- Go the tab
Configuration
-> ClickIdentity Providers
-> find or create a SAML Identity Provider in the field 'Type' -> go the 'Authentication level mappings' section. - The authentication level that is configured here, is favored over the authentication level defined on the tab
Step-up authentication
.
Preferred step-up method handling¶
In this section two options are available, that help you define which step-up authentication method gets priority over other methods.
Option | Description |
---|---|
Always force strongest available step-up authentication method | If this option is enabled, and the user is not able to authenticate with a external identity provider (because the option ‘Use stronger coupled identity provider’ is disabled), then the user will be forced to use the step-up authentication method with the highest authentication level. If this option is enabled and the user can use an external identity provider (because the option ‘Use stronger coupled identity provider’ is enabled), then the user will not be forced to use the the step-up method with the highest authentication level, but can still use a different external identity provider. |
Use user's preferred step-up authentication method (last chosen) | This option is enabled by default. The step-up authentication method that was used most recently by a user gets priority, even if a method with a higher authentication level is available. |
When there are multiple step-up methods with the highest authentication level available, or the user did not define a preferred step-up method, then the prioritizing is as follows (from highest to lowest):
Order | Step-up method |
---|---|
1 (Highest) | Mobile authentication |
2 | Google Authenticator (Time based one time password) |
3 | Pin |
4 | Sms |
5 | |
6 (Lowest) | Externally delivered code |
Mobile step-up authentication¶
In this section two fields are available:
Field | Description |
---|---|
Type | Fill in the name of the mobile step-up authentication. This name needs to correspond with the name that is defined in the Token Server. For more information see the page on Mobile authentication configuration. |
Message | Fill in a message that the user sees on his or her mobile device when he or she uses step-up authentication. For more information see the page on Mobile Authentication IPA. |
Note
Visit the page on mobile step-up authentication for more information about this topic.
Minimum authentication levels¶
It is possible to set the minimum authentication level that a user requires to perform certain sensitive actions, or to see sensitive data.
Login into the Onegini Consumer Identity Access Manager -> go toSmart Security
-> click General information
-> The window 'Smart security' opens and in the section 'Minimum authentication levels' you can configure the authentication levels.
The following fields are available:
Field | Description |
---|---|
Default authentication level | Authentication level for all sensitive operations other than the other methods displayed in this window. |
Access to dashboard with personal information | Authentication level required for the user to see the dashboard with personal data. |
Allow to set initial step-up method | If enabled, this option allows users without a preferred or configured step-up authentication method to configure a step-up authentication method, regardless of the required authentication level. |
Setup step-up methods | Authentication level required for the user to setup the step-up methods. The step-up method email is not included. Email has its own setup for a step-up method (in the field 'Change email'). |
Change email | Authentication level required for the user to change his or her email address. |
Change password | Authentication level required for the user to change his or her password. |