Layer7 Access Management

Expand all | Collapse all

Step-up for user accessing from a new location

Jump to Best Answer
  • 1.  Step-up for user accessing from a new location

    Posted 01-18-2019 03:51 AM

    Hi - Is there a way that Advanced Auth can determine that a user is accessing an application from a location that he/she has never accessed from and then prompt that user for a step-up? 

  • 2.  Re: Step-up for user accessing from a new location

    Posted 02-07-2019 03:46 PM

    Yes, this is possible if you use Risk Authentication module of Advance Auth Suite.

    In Risk Authentication, you can configure flexible geographic based rules based on business need.

    Note: You need to configure Geolocation Data feed in Risk AUthentication to enable geographically based rules.

  • 3.  Re: Step-up for user accessing from a new location

    Posted 02-11-2019 12:00 AM

    Thanks for the response. I know there is an option to use geolocation data in the rules, but I am not sure how do I use it to achieve the use case listed above. We do have the feeds coming in and can use that data for Untrusted IPs. 


    To explain with an example here is the scenario :


    A user accesses an application always from his office in London. He travels to Chicago and accesses the same application. Since the user has never accessed the application from Chicago, he should be prompted for a step-up. A step-up should show up everytime the user is accessing the application from a different location other than the base location, which in this example is London.

  • 4.  Re: Step-up for user accessing from a new location
    Best Answer

    Posted 02-11-2019 12:29 PM



    There are two scenarios in your use case

    1: If all the users have the same set of base locations, configure a whitelist IP/Country rule and it will take care of it.

    2:  If each user has their own specific base location, you need you can configure a custom rule ( i.e. Custom_Location_Check)  where you should pass the base location to this custom risk rule as an additional parameter.

    This custom rule then can match the passed base location with the transaction location and if they are the same user is allowed to access the system without step-up auth.

    Note: This custom rule can be configured using OOTB Rule builder. 

  • 5.  Re: Step-up for user accessing from a new location

    Posted 02-11-2019 11:59 PM

    Got it! So, if we have the location as an attribute of the user profile, then we can define a rule that would alert if the location received is different from the location in the user profile. Would we also be able to use the location and weightage in the user's behavior profile (UBP) to determine the location where the user typically logs in from?

  • 6.  Re: Step-up for user accessing from a new location

    Posted 02-12-2019 02:04 PM

    Yes, you either store the base location attribute on user profile or fetch it using some API at runtime and use this information in the custom rule to check against location provided in the current transaction.

    UBP might not solve your use case as this more of behavior adaptive/self-learning model where for initial few attempts it may challenge the user for step-up authentication for the new location but once the user starts authenticating himself/herself form this location frequently UBP will adapt to this behavior and stop challenging user for this new location as then UBP will consider this a normal deviation for the user.

    Also, UBP for third-party integration is like a black box i.e. you might not get weight specific to location rather you will get an overall model score.


    You can compose some kind of User Location Velocity rule to determine user frequency to authenticate from a certain location ( by default OOTB rule builder provide one Action Velocticy rule composition and you should explore this area).