Authentication policies in Intelligent Adaptive Authentication

Authentication policies are workflows that dictate the authentication mechanisms to execute, i.e., they specify various login settings which can affect how a user can log in to a specific site, and how the login is handled by Intelligent Adaptive Authentication.

Policies may be set up in a hierarchy, where a policy will inherit most of its attributes from a parent policy, but with some modifications for a slightly different scenario. At the top of this hierarchy is a given parent or base policy—not necessarily the default Base Policy.

Intelligent Adaptive Authentication hosts a number of default and pre-defined authentication policies. For information about the policies' default settings and setting descriptions, see the articles of the specific policies.

Impacts of changing policy parameters

Changing policy settings can impact the following security-related areas:

  • Static password strength rules determining the password length and/or age

    (This applies to both administrator and user passwords.)

  • User account expiration due to inactivity

    (Currently disabled in the Base Policy.)

  • Authentication scope of one-time passwords

    • Limitation of the number of OTPs to be considered when validating an OTP for the first time (initial_window and event_window parameters)

    • Limitation on the number of authenticator applications to be considered when an OTP is validated (dp_type_limit parameter)