Dynamic Authentication Record Selection

There are two ways in which ActivID AS determines which user authentication policy/record to use when processing an authentication request:

• Explicit authentication record selection − the authentication policy is explicitly referenced within the request.
• Dynamic authentication record selection − the authentication request does not identify the authentication policy, but relies on ActivID AS to select the most appropriate authentication record.

The primary purpose of the dynamic authentication record selection feature is to facilitate the transition of users from Login-based authentication to Device-based authentication without requiring any changes in the calling application.

For example, if an online banking service has a population of users with static credentials to access online banking and the users are transitioned to a two-facor method such as OTP tokens, once the bank deploys the users tokens and assigns the device-based authentication policy to the users, the dynamic authentication record selection will select the stronger, device-based policy/record for the user and will not require any integration changes between the calling application and ActivID AS.

The dynamic authentication record selection follows a very simple set of immutable rules to determine which authentication record is applied for an authentication.

First, the dynamic authentication record selection will always select an authentication record that is based on a Device type policy over a Login type policy as long as there is a device based authentication record available that meets the following conditions:

• Have an enabled status
• Have a Valid From date less than or equal to the current date
• Have a Valid To date greater than or equal to the current date

In the event that a user has more than one device-based authentication record that meet those conditions, then the dynamic authentication record selection algorithm will select the authentication record with the most recent Valid From date.