Step-up authentication
We can use protected object policies (POPs) to enforce certain access conditions on specific resources. The authentication strength policy makes it possible to control access to objects based on authentication method.
We can use this functionality, sometimes known as step-up authentication, to ensure that users who access more sensitive resources use a stronger authentication mechanism. We might want this condition because of the greater threat of improper access to certain resources.
For example, we can provide greater security to a junctioned region of the protected object space. Apply a step-up POP policy that requires a stronger level of authentication than the client used when initially entering the domain.
The authentication strength policy is set in the IP endpoint authentication method attribute of a POP policy.
- Configure levels for step-up authentication
The first step in configuring authentication-specific access is to configure the supported authentication methods and determine the order in which these authentication methods must be considered stronger.- Apply step-up authentication policy
Step-up authentication is implemented through a POP policy placed on the objects requiring authentication-sensitive authorization. We can use the IP endpoint authentication method attribute of a POP policy.- Distinguish step-up from multi-factor authentication
Security Verify Access step-up authentication and multi-factor authentication are two different mechanisms for controlling access to resources.
Parent topic: Protected object policy management