Back to Home PageView SDKs on GithubView APIs in ReadmeSystem Status
Search…
Vienna
Strivacity: Vienna Release
SUPPORT INFORMATION
Raising a support ticket
Security vulnerability response
Reporting a security issue
Our service level commitment
Getting Started
Overview
Product components
Pre-configured best practices
Resources for compliance
Using the Dashboard
Overview
APIs
Using the REST APIs
ReadMe API directory
Setup and Manage
Adaptive multi-factor authentication
Creating an adaptive MFA policy
Editing an adaptive MFA policy
Copy, export, and import adaptive MFA policies
Deleting an adaptive MFA policy
General settings: an overview
Multi-factor methods: an overview
Adaptive rules: an overview
Assigning an adaptive MFA policy to an application
How customers manage adaptive MFA
Identity verification
API security policy
Claim Dialects
Consent management
Enterprise login
Identity stores
Password polices
Integrate your applications
Lifecycle event hooks
Notification policies
Self-service
Rebranding and Customization
Using your own brand, logos, and color schemes
Using multiple custom domain names
Customizing email templates
Customizing SMS templates
Rebranding the Admin Console
Localization
Managing Accounts and Groups
Accounts
Groups
Configuration
Admin roles
Admin adaptive MFA
Admin branding
Admin notifications
Admin accounts
General
Logging
REST API access policies
Integrations
Web analytics
CRM, CDP, and marketing
External identity providers
Passwordless
Identity proofing
Productivity
Security
Social login
DEVELOPER SDK
Mobile SDK overview
Android mobile SDK
iOS mobile SDK
Architecture and Deployment
Infrastructure security
Rate limiting
Brute-force protections
Regional availability
Powered By GitBook
Adaptive multi-factor authentication
Learn how to setup and use an Adaptive MFA policy to enhance the security of your portal or web application.

Adaptive MFA (Multi-factor Authentication) enhances the security of your portal or web application using a combination of risk analysis techniques and multi-factor authentication.
An Adaptive MFA Policy contains the following settings:
  1. 1.
    ​Login workflow​
  2. 2.
    ​Multi-factor authentication​
  3. 3.
    ​Risk Analysis Techniques​

Strivacity provides several login workflows for you to choose from depending upon the customer journey that you wish to create.
Because a login workflow can be defined for an Adaptive MFA policy, it means that you can have multiple Applications each with its own Login Workflow, giving you flexibility to provide different customer journeys per application.
Find more information about login workflows here.

Multi-Factor Authentication (MFA) provides an additional layer of security beyond just a (single factor) username and password-based authentication.
Multi-Factor Authentication protects your customers against threats such as,
  • Account takeover
  • Unauthorized account access
  • Fraudulent transactions
  • Account hijacking
Strivacity Fusion provides the following MFA methods:
Method Type
Security Posture
Ease of Adoption
Coverage
Usability
Password
Weak
Easy
Broad
Easy
Voice Call OTP
Moderate
Easy
Broad
Medium
SMS OTP
Moderate
Medium
Broad
Medium
Email OTP
Moderate
Medium
Broad
Medium
SMS Magic Links
Strong
Easy
Medium
Easy
Email Magic Links
Moderate
Easy
Broad
Easy
Google Authenticator/
or other Soft Token
Strong
Medium
Medium
Medium
FIDO2 Platform Biometric Authenticator
Strong
Easy
Medium
Easy
FIDO2 Security Key
Strong
Medium
Broad
Easy

Strivacity provides a fully included and managed SMS and Voice Call service with global coverage. No further configuration or need to subscribe with a third-party service provider is required - meaning that there is nothing additional to configure or set up to start using Strivacity supported phone-based Multi-Factor Authentication methods.
See Customizing SMS Templates for more information on how to use your own branding and customize the way in which SMS messages are sent.

Strivacity provides a fully included and managed Email service. No further configuration or need to subscribe with a third-party service provider is required - meaning that there is nothing additional to configure or set up to start using Email notifications or supported Email-based Multi-Factor Authentication methods.
See Customizing Email Templates for more information on how to use your own branding and customize the way in which Email messages are sent.

Soft token authentication support allows your customers to use the one-time passcode generator app of their choice.
Customers download the authenticator app to their phone, enroll the application in their self-service portal, and use the available temporary one-time passcode to authenticate. With only having to install an application, customers don’t need to provide their email address or phone number to receive passcodes. Automatic token renewal is not only secure but supplies customers with new passcodes without needing them to send a request.

​FIDO2 is a standards-based protocol that enables device-based authentication. Leveraging their everyday devices, users can authenticate with biometrics – fingerprint, face-scan, or voice recognition – or a physical security token of choice.
Ever since the FIDO alliance entered the scene, more and more devices ship with FIDO-compliant platform authentication systems, such as Android, Windows Hello, Apple Touch, and Face ID or support roaming authenticators such as Yubikey and Google security keys.
Compared to the rest of the existing authentication methods, device-based authentication requires the least effort from customers, which also equals less friction during enrollment and login journeys.
You can tap into the secure and convenient device-based authentication solutions customers already have at their command with Strivacity FIDO authentication support.

Strivacity Fusion Adaptive MFA policies include several risk analysis techniques that can adjust and enhance your customer's registration or login journey.
  1. 1.
    ​Optimized Outcomes​
  2. 2.
    ​Fraud detection tools​
  3. 3.
    ​Geolocation Detection​
  4. 4.
    ​Improbable Travel Detection​
  5. 5.
    ​Geofencing​
  6. 6.
    ​Known Device Detection​
  7. 7.
    ​Breached Password Detection​

Strivacity includes several workflow options that can be used where they make sense during registration, login, or password reset.
Outcome
Description
Step-up Authentication
When risk is detected during authentication, a step-up authentication can be triggered. This only applies where Multi-Factor Authentication is configured and will require the customer to respond to an Multi-factor Authentication challenge.
Deny Authentication or Registration
When risk is detected during authentication (log in), or during self-service registration, the request can be denied, meaning the customer will not be allowed to proceed because the risk level is deemed to be too high.
Redirection
When risk is detected during authentication (log in), or during self-service registration, the customer can be redirected to an alternative URL (web page) of the admin users choosing.

Adaptive MFA policies come with out-of-the-box fraud mitigation tools to protect your customers and brand from fraudulent actors.
Out-of-the-box fraud mitigation tools

Login attempts from malicious bots comprise around 34% of all login attempts on the web. Strivacity's bot detection shields your brand from unwanted consumer bots by analyzing the IP address of authentications and registrations to differentiate between human and non-human traffic.
You can set up blocking or step-up rules to deal with the detected threats for logins, and blocking rules only for registrations. Each rule offers two levels of risk mitigation: normal and high. Pick the protection level that's best for your situation.

Some users hide behind an anonymous proxy server or Tor exit node to conceal their real IP addresses. This makes it impossible to accurately verify these users' geographical whereabouts.
Strivacity's anonymous proxy detection allows you to be confident that only customers with a traceable online presence will have access to your applications. It does this by halting requests coming from hidden IP addresses before users can continue to your services.
You can choose to block or step-up customers who try to log in from anonymous proxy servers or Tor exit nodes.

Many customers login in from the same location or a similar time of day or week. Strivacity's behavior analytics uses machine learning to analyze time and location data to reduce friction in your customer's login experience while still providing the high-level security everybody expects.
You can enable behavior analytics in your applications to identify trusted customer behavior. If customers log in from their usual location and time, they will be stepped down from an otherwise required additional factor of authentication.

Malicious actors engaged in account takeover activities are often not logging in from the same location as a customer. Strivacity's improbable travel detection combines time/date information with a customer's past and current location to perform a travel velocity calculation - put simply 'could a customer have traveled from point A to point B within the period of time between logins? If 'yes' then the login may be legitimate. If 'no' then the login is suspicious and some action should be taken.
Improbable travel detection protects against account take over without compromising a customer's login experience. It effectively denies access to an attacker that may have attempted to compromise a customer's account.
With improbable travel detection you can:
1) Step-up authentication - if multi-factor authentication is enabled and an existing customer logs in from a location and the likelihood of that distance traveled from the last location seems low, you can step up the customer and ask them for an additional factor as an additional step of verification.

Strivacity's geolocation detection resolves IP addresses to physical locations using a highly accurate and frequently updated resolution database.
Why is this useful? geolocation detection allows brands to specifically allow or deny customer registration or logins from any geography that they do or do not want customers to use their application or website. This helps reduce attack surface and provides great assurance to any requirements or law around where an application or website can be accessed from.
This capability allows an admin to change the customer journey based on specific locations at a granular level - the Entire World, Country, State, and City levels - with worldwide coverage.
When configuring geolocation detection, the most restrictive options will always apply. For instance, if you deny registration/authentication from the UK (Country), and then allow registration/authentication from Sheffield (a City within the UK) then any registration or authentication requests from Sheffield will still be denied.
With geolocation detection you can;
1) Allow registration/authentication - the ability to define an allowed list of physical locations that a customer can self-register from or log in from.
2) Step-up authentication - if multi-factor authentication is enabled and an existing customer logs in from a location that you deem risky, you can step up the customer and ask them for an additional factor as an additional step of verification.
3) Redirect registration/authentication - the ability to redirect any customer registration or authentication to a URL of your choosing if the customer is in a specific country/state/city.
4) Deny registration/authentication - the ability to deny any customer registration or authentication from a location that you deem risky.

Strivacity known device detection uses device recognition techniques and a browser cookie to remember a known device upon a successful authentication using Adaptive MFA.
Once a user has been verified and the cookie stored then they will not be asked to provide another Multi-factor Authentication method until:
1) The known device lifetime (default is 30 days and can be configured in the Adaptive MFA policy) expires because the customer has not logged in
2) Other risk is detected via any of Strivacity Fusion's other risk analysis techniques. In this situation, the existing known device cookie is revoked when the customer is stepped up
This approach helps ensure a good balance of customer experience and risk analysis. Fusion will only prompt the customer again for a Multi-factor Authentication method when absolutely needed - avoiding adding any additional friction unless needed.

Fusion provides a Breached Password service that can perform risk analysis against a customer password. This helps protect against:
1) Credential stuffing attacks - in the event that a customer is trying to use/re-use a password with their same identifier where that password has been previously breached, Breached Password Detection will prevent them from re-using that password and will disallow that breached password from being used.
2) Account take over - in the event that a customer's identifier and password are part of a known breached corpus, Breached Password Detection will prevent them from re-using that password and will disallow that breached password from being used.
Breached Password Detection's analysis of customer passwords occurs at any of the following points in the account lifecycle:
1) During customer registration (customer attempts to provide a previously breached password)
2) During a password reset (customer attempts to re-use a previously breached password)
3) During a customer password change (customer attempts to re-use a previously breached password)
4) During an administrative password reset or change (via the Admin Console)
​
APIs - Previous
ReadMe API directory
Next
Creating an adaptive MFA policy
Last modified 2mo ago
Export as PDF
Copy link
On this page
Overview
Learn how to
Login workflow
Multi-factor authentication
SMS and voice call managed service
Email managed service
Soft token authenticator apps
FIDO2-based authentication
Risk Analysis Techniques
Optimized customer outcomes
Fraud detection tools
Improbable travel detection
Geolocation detection
Known device detection
Breached password detection