How customers manage adaptive access

Learn more about how customers can view and manage their adaptive access settings

Overview

Adaptive access enhances the security of your portal or web application using a combination of risk analysis techniques and multi-factor authentication (MFA).

There are two ways customers can enroll in an MFA method:

  • in their self-service account under Security settings
  • while completing their sign-up or sign-in flow

📘

For more details about how to enable MFA methods that customers can enroll in and how to prompt them to use at least one method or designated methods, review the Multi-factor methods page.

Customers can only access the MFA methods that are enabled in the application's adaptive access policy.

MFA management in the self-service account

Customers can manage their MFA methods inside Security settings:

Multi-factor authentication (MFA) screen

Every method available for customers to enroll in will show up after selecting Add New Method.

📘

You can adjust the self-service MFA options available to customers as part of theadaptive access policy assigned to the application.

You can add or remove MFA options from the customer's self-service account as part of the adaptive access policy assigned to the application. The actual methods that are displayed as available options to customers are controlled by the MFA methods that an administrator has configured within the adaptive access policy that is assigned to an application.

Here's the full list of MFA enrollment options you can make available for your customers:

Add new authenticator

MFA method enrollment flows

MFA enforcement for external identity providers

You can switch on MFA for external logins and registrations. Customers with an external identity will go through the same authentication flow configured in the application's adaptive access policy as if they were using local sign-in or sign-up.

Email address

Customers provide an email address and verify it as an authenticator with the passcode they receive:

Add email authenticator

Phone number

Customers provide a phone number and verify it as an authenticator with the passcode they receive:

Add phone number authenticator

Soft token authenticator app

Customers download a soft token authenticator app to their phone, pair their device using the QR code, and verify the device with the currently available temporary passcode:

Add soft token authenticator

Platform biometric authenticators

Customers add the name of their device and then follow the setup instructions of their OS. Customers can remove their enrolled device biometrics anytime by clicking the trash icon and repeating the setup process.

Add device biometrics authenticator

Security keys

Customers add the name of their security key and then follow the instructions of their browser and/or external device. Customers can remove their enrolled security key anytime by clicking the trash icon and repeating the setup process.

Add security key authenticator

Before entering the self-service account

Oftentimes customers are asked to enroll in an authentication method at sign-up or sign-in to secure their accounts immediately. A typical authenticator enrollment during sign-up or sign-in flows looks like this:

📘

In the scenario below, the customer is enrolling their email address as an authenticator. The enrollment experiences for other MFA methods are similar.

Use different email addresses: Customers can add a new authenticator of the same type if the adaptive access policy doesn't restrict the use of known email addresses.

Select a different method to enroll: If a customer changes their mind en route, they can return to the enrollment options with this button. Customers can select a different method 3 times before their session expires.

If an authenticator method is mandatory, other methods will not be listed for customers to enroll in (unless they're also mandatory).

📘

When a customer changes their MFA method or adds a new one, an email notification is usually sent. However, this notification is suppressed when authenticators are added during the registration flow.