Creating policies for MFA enforcement

Learn how to create a policy enforcing multi-factor authentication (MFA) in Authorization Control Plane (ACP) in order to assign it as an additional protection layer for user authentication and grant assignments.

About MFA policies

The MFA policy, upon validation, requires the user to enhance their level of identity assurance by proving their posession of a one-time password that has been transmitted to them via either a mobile SMS message or an email. If no such proof is provided, the user request fails.

For more information on the MFA concept itself, read Transactional MFA with ACP.

Prerequisites

  • Access to an ACP tenant with Demo application and Sandbox IDP enabled for testing purposes. Your Sandbox IDP user must have MFA enabled.

  • When a non-sandbox IDP is used, IDP claims must provide the user’s e-mail address and/or phone number. These claims must be mapped to their corresponding authentication context attributes: email, email_verified, phone_number, phone_number_verified. For more information, see Setting up authentication context.

Define MFA policy

You’re going to create an MFA policy which always asks for additional verification upon user login. You’ll test this policy in a Demo application.

Define Cloudentity MFA policy

The video below shows how to create an MFA policy, assign it to an application, and verify that your policy works.

Note

A similar Cloudentity policy exists in ACP by default, under the name MFA User.

  1. In your workspace, select Policies -> CREATE POLICY from the sidebar.

  2. In the Create Policy popup window

    1. Select the User policy type from the dropdown menu.

      Note

      ACP provides several policy types in its editor. These types group policies by their intended use and therefore policy of a given type can only be assigned to its dedicated area. For example, user policy cannot be used to restrict client assignments. In case of MFA, you need to create the User policy.

    2. Specify the Policy name.

    3. Select Cloudentity as the Policy language.

    4. Select Create.

    5. Add the MFA validator in the policy editor (Add validator -> Authentication factors -> MFA validator). Save your changes.

      Result

      Your policy is now ready and can be assigned to an application.

  3. Select Applications -> Demo from the sidebar.

  4. Assign your newly created policy in the User policy field and save your changes.

  5. Log in to the Demo application and verify that the policy is applied. You should get prompted to validate yourself via one of the available MFA methods.

Define Rego MFA policy

If you want to use MFA in a Rego policy, repeat the procedure above, but select Rego as the policy language instead of Cloudentity. In the Rego policy editor, add the following items:

  • MFA check before the policy can pass - input.login.verified_recovery_methods[_] = "mfa"

  • MFA as a recovery step - recovery = ["mfa"]

The policy below always asks for MFA verification when validated. When ready, your policy should look as follows:

package acp.authz

default allow = false

allow {
    input.login.verified_recovery_methods[_] = "mfa"
}

recovery = ["mfa"]

Having defined an MFA policy, you may be interested in the following articles: