Default adaptive MFA policy

Learn more about the configuration and best practices baked into the default Adaptive MFA policy.

The default Adaptive MFA policy is automatically assigned on a per-Application basis and is in use from the moment that you start using Strivacity, i.e. there is nothing that you need to do to ensure that you're using some best-practice security for your customer accounts.
Adaptive MFA policies help enhance the security of your customers' accounts. They're also required for setting up an application.
You don't have to create an adaptive MFA policy from scratch to see it work in action. Strivacity's default Adaptive MFA policy comes with pre-configured multi-factor methods that you can apply immediately to an application.  
You can find out more about creating and assigning adaptive MFA policies to applications at Creating an adaptive MFA policy and Assigning an adaptive MFA policy to an application.
​
Here's a rundown of the default adaptive MFA policy settings:
Next to default settings, you can also set up platform-based authentication, allow your customers to enroll their roaming authenticators, switch on bot, anonymous proxy / Tor, and improbable travel detection, or apply behavior analytics for recognizing trusted online behaviors. 
Setting
Default Value
Description
Adaptive MFA Policy Name
Default
This is the name the policy is referenced by in the Admin Console.
Adaptive MFA Policy Login Workflow
Username -> MFA -> Password
This will provide a customer journey that requires the customer to provide the username as the identifier, then an MFA method and then the Password.
​
This workflow uses the MFA method to prevent an attacker from locking out the customer's account by exceeding the permitted number of password attempts.
Email method
Enabled and optional
Customers can decide to enroll an email authenticator in their self-service accounts. 
​
One-time passcode and Magic Link factors are both allowed by default. They're lifetime is set to 6 minutes by default. 
​
The passcode lenght is set to 6 characters by default. 

You can require customers to enroll an email address at login by setting the method to Mandatory.
Phone method
Enabled and optional
Customers can decide to enroll phone authenticator in their self-service accounts. 

One-time passcode and Magic Link factors are both allowed by default. They're lifetime is set to 6 minutes by default. 
​
The passcode lenght is set to 6 characters by default.

You can require customers to enroll an email address at login by setting the method to Mandatory.
Soft token
Enabled and optional
Customers can decide to enroll an authenticator application of their choice in their self-service accounts. 

The passcode length and lifetime is dependent on the authenticator application they're using.

The Label name defaults to the brand name if the field is not filled in.

You can require customers to enroll in this method by setting it to Mandatory.
Device recognition
Enabled
This options allows customers to mark the devices they use for login as trusted ones. This way they will be stepped down from any multi-factor authenticaion that otherwise would be required of them.

Device recognition is set to last for 30 days by default. After the lifetime expires, customers will asked again to add their devices again.

Device recognition opt-in
Enabled
The 'Remember my device' option in the customer login journey is set to appear with a selected checkbox. 

This way customers wiil not forget to add their trusted devices.

Default password policy

Identity verification best practices

Last modified 4mo ago

Setting	Default Value	Description
Adaptive MFA Policy Name	Default	This is the name the policy is referenced by in the Admin Console.
Adaptive MFA Policy Login Workflow	Username -> MFA -> Password	This will provide a customer journey that requires the customer to provide the username as the identifier, then an MFA method and then the Password. This workflow uses the MFA method to prevent an attacker from locking out the customer's account by exceeding the permitted number of password attempts.
Email method	Enabled and optional	Customers can decide to enroll an email authenticator in their self-service accounts. One-time passcode and Magic Link factors are both allowed by default. They're lifetime is set to 6 minutes by default. The passcode lenght is set to *6 characters* by default. You can require customers to enroll an email address at login by setting the method to Mandatory.
Phone method	Enabled and optional	Customers can decide to enroll phone authenticator in their self-service accounts. One-time passcode and Magic Link factors are both allowed by default. They're lifetime is set to 6 minutes by default. The passcode lenght is set to *6 characters* by default. You can require customers to enroll an email address at login by setting the method to Mandatory.
Soft token	Enabled and optional	Customers can decide to enroll an authenticator application of their choice in their self-service accounts. The passcode length and lifetime is dependent on the authenticator application they're using. The Label name defaults to the brand name if the field is not filled in. You can require customers to enroll in this method by setting it to Mandatory.
Device recognition	Enabled	This options allows customers to mark the devices they use for login as trusted ones. This way they will be stepped down from any multi-factor authenticaion that otherwise would be required of them. Device recognition is set to last for 30 days by default. After the lifetime expires, customers will asked again to add their devices again.
Device recognition opt-in	Enabled	The 'Remember my device' option in the customer login journey is set to appear with a selected checkbox. This way customers wiil not forget to add their trusted devices.