Distinguish step-up from multi-factor authentication

Security Verify Access step-up authentication and multi-factor authentication are two different mechanisms for controlling access to resources.

Multi-factor authentication forces a user to authenticate with two or more levels of authentication. For example, the access control on a protected resource can require the user to authenticate with both user name and password (level 1). The access control can also require the user to authenticate with user name and token passcode (level 2).

Security Verify Access step-up authentication relies on a pre-configured hierarchy of authentication levels and enforces a specific level of authentication according to the policy set on a resource. Step-up authentication does not force the user to authenticate with multiple levels of authentication to access any specified resource. Instead, step-up authentication requires the user to authenticate at a level at least as high as the level required by the policy that protects the resource. The following example shows the series of commands that are needed to define step-up authentication:

pdadmin > pop create test1
pdadmin > pop modify test1 set ipauth anyothernw 1
pdadmin > pop attach /WebSEAL/hostA/junction test1

pdadmin > pop create test2
pdadmin > pop modify test2 set ipauth anyothernw 2
pdadmin > pop attach /WebSEAL/hostA/junction/applicationA test2

In the previous example, the /WebSEAL/hostA/junction object is protected by a POP requiring authentication level 1. The /WebSEAL/hostA/junction/applicationA object is protected by a POP requiring authentication level 2.

Under step-up authentication, user name/password (level 1) authentication is required to access /WebSEAL/hostA/junction.

However, user name/token passcode (level 2) authentication is required to access /WebSEAL/hostA/junction/applicationA. If the user is currently logged in with a user name and password, a prompt appears requesting user name and token passcode information (the step-up). However, if the user initially logged on to WebSEAL with a user name and a token passcode, access to applicationA is immediate, assuming a successful ACL check.

Multi-factor authentication requires both level 1 and level 2 authentication for access to applicationA.

Parent topic: Step-up authentication