Tiered Authentication
You can configure ActivID AS for tiered authentication to support increasing levels of security and more complex security policies. Tiered authentication involves the use of more than one level of authentication to enable a user to access data and carry out particular actions. For example, a system may require a user to authenticate using one method to view data and then authenticate with a different authentication record to carry out actions on that data.
ActivID AS tiered authentication enforces the need for a user to be authenticated already to a specified authentication policy before that user can authenticate successfully to another authentication policy.
When ActivID AS is configured for tiered authentication, a user’s ability to carry out transactions can be made dependent upon authentication to a level in the tier appropriate to the risk inherent in the transactions. For example, high-risk transactions can be grouped in a transaction set, and the permission for that transaction set can be linked to an authentication policy specified for a high level in the tier.
You can set up an authentication tier in the ActivID Management Console by placing the relevant authentication policies into a hierarchy consisting of a primary authentication policy and a sequence of one or more secondary authentication policies.
For example, a tiered authentication sequence might consist of three authentication policies: a primary authentication policy, AP1, followed by two secondary authentication policies, AP2 and AP3. In order for a user to authenticate using AP3, that user must first authenticate using AP1 and then AP2. In short, ActivID AS enables a user to authenticate to an increased level of security only if the user is already authenticated to the previous level(s).
Using the ActivID Management Console, you can set up and edit authentication tiers using the “Base Authentication Policy” parameter when adding or editing an authentication policy. Set the base authentication policy for the primary authentication policy to be “None.” For each of the secondary authentication policies, set the base authentication policy to be the value of the previous authentication policies in the sequence. Hence, for the above example:
- AP1.Base Authentication Policy = None
- AP2.Base Authentication Policy = AP1
- AP3.Base Authentication Policy = AP2
- You cannot delete an authentication policy that is the parent of a child authentication policy.
- Tiered authentication is not related to logging on the ActivID AS through the ActivID Management Console.
Logging Off During Tiered Authentication
Ascending an authentication tier means a user authenticates with several different authentication records to achieve increasing levels of security in the hierarchy.
For example, in an authentication tier that comprises two levels, where the first level is the parent in the hierarchy, and the second level is the child, when a user who has authenticated to the second level logs off, ActivID AS returns the user to the parent authentication.
When the user logs off at a parent level in the hierarchy, ActivID AS automatically closes any dependent children to which the user is also authenticated further up the hierarchy.
As another example, in an authentication tier that comprises three levels, where the first level is a parent in the hierarchy, the second level is both a child and a parent, and the third level is a child, when a user has authenticated to the third level but logs off at the second level, ActivID AS:
- Closes the second-level child
- Automatically closes the third-level child
- Returns the user to the first-level parent
Logging off at the first level in the tier completely closes the ActivID AS session.