Adaptive authentication

The adaptive authentication feature is fully supported on FOS 7.0.2.

Multi-factor authentication provides more security than password-only login, but it comes at the cost of inconvenience for end-users. The adaptive authentication feature uses the available information regarding a login attempt (for example, time of day, geo-location, and so on) to evaluate the circumstantial risk of a given login attempt. The second authentication factor is required only when that risk is higher than a predetermined threshold. Furthermore, you might choose to block an authentication attempt entirely if the circumstantial risk is deemed high enough.

FortiToken Cloud (FTC) allows end-users to bypass OTP verification of MFA under certain “safer” conditions and denies such attempts under certain otherwise “riskier” conditions. Upon receiving a request to bypass the OTP verification for MFA authentication, the FTC server assesses the situation and decides whether to deny the attempt to bypass the pre-configured OTP verification of MFA based on the following conditions:

• Trusted subnet/geo-location

• Time of day/day of week

Token bypass is allowed if the end-user meets one of the following conditions:

• End-user IP address is from a trusted subnet

• End-user IP address is from a trusted geo-location

• Time is within the expected schedule

Token bypass is denied if the end-user meets one of the following conditions:

• End-user IP address is NOT from a trusted subnet

• End-user IP address is NOT from a trusted geo-location

• Time is outside of the expected schedule

This section covers the following topics:

• View adaptive authentication policies

• Create an adaptive authentication policy

• Edit an adaptive auth policy

• Delete an adaptive auth policy

• View adaptive auth profiles

• Create an adaptive authentication profile

• Edit an adaptive auth profile

• Delete an adaptive authentication profile

• Apply adaptive authentication profiles