cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enable TFA only for specific part of the site

flukic
Explorer

on ‎2022 Feb 23 9:11 AM

507

Hi everyone,

we are currently discussing a requirement with the client if we could use TFA in a very specific situation.
Scenario would be the following:
  • End user navigates to the portal and logs in with standard CDC login
  • He can browse the portal as normal
  • When he wants to navigate to the specific part of the portal with sensitive data - TFA is triggered.
  • Only with passing the TFA, can end user navigate to this part of the portal and access the data.

Could this scenario be accomplished by leveraging the RBA/TFA of CDC?
If yes, how could this be done?
Scenario of using the RBA and performing the TFA at initial login would not be an option.
Login needs to stay as standard, until the user wants to navigate to sensitive data - when TFA should be triggered.

Thank you!

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

samuelyang
Product and Topic Expert
Product and Topic Expert
‎2022 Mar 14 2:53 AM
0 Kudos

Hi Filipp,

So when the user navigates to the sensitive data, your application codes should be able to prompt a message for the same. And after dismissing the message, you application codes can send a logout API call to CDC to log users out, then when users try to login again, they will be promoted for TFA.

And it's up to your application to give whatever riskScore seems appropriate to your business, and then use that riskScore value to configure the RBA rules. When user navigate away from the sensitive data, you don't need to decrease that riskScore value because you are not logging users out, they can just seamlessly continue using your app without being disrupted at all.

It is basically your application codes to log users out and enable TFA login by increasing riskCore of RBA rules. CDC has no idea about your sensitive business data and flow.

Thanks!

Samuel

Show replies
Show replies
samuelyang
Product and Topic Expert
Product and Topic Expert
‎2022 Feb 24 1:57 AM
0 Kudos

Hi Filip,

Reading through your scenario, the "highRisk" -> TFA rule popped up in my head, I guess you can give it a try.

So basically you can create a global RBA rule using the template "On high risk score > TFA" for all end users. And when they navigate to the sensitive parts, you can increase the riskScore value via the API through a clientContext object. If the riskCore you give is over the threshold of the RBA rule, TFA will be triggered for the end users.

Hope it helps.

Show replies
Show replies
former_member795079
Discoverer
‎2022 Mar 11 4:22 PM
0 Kudos

Hi Samuel,

sorry for replying this late.
This potential solution that you mentioned sounds interesting.
Question is will the user be prompted at that point for TFA? Meaning that he will be logged out and asked for TFA at that point?

Also, with this solution we would have to decrease their riskScore value when they are navigating away from the sensitive data?
Would be interested how the solution would look like in more detail.

Thank you for the answer!

Ask a Question