Strong authentication maturity

Jump to bottom

Alexander Filipin edited this page Jul 19, 2021 · 9 revisions

Our goal is to establish a strong identity on a trustworthy device, in some edge-cases (see BYOD approaches) we might want to allow usage of an untrusted device but add additional controls e.g. DLP on top of it. The following is just one example how the journey could look like, the timing can also be slightly different e.g. trustworthy devices before the MFA rollout.

Maturity 1: No MFA rollout, maybe some trustworthy devices

Trusted Location OR Trusted Device OR MFA (for all apps)
AND Context based tightening (e.g. require MFA for a specific app, MFA rollout for a subset of users like admins, DLP controls for some apps)

Maturity 2: MFA rollout, maybe some trustworthy devices

Trusted Location OR Trusted Device
- Context based exceptions, possibly with session controls or app protection
AND Risk based MFA

Maturity 3: MFA rollout & trustworthy devices

Trusted Device
- Context based exceptions, possibly with session controls or app protection
AND Risk based MFA

Maturity 4: MFA rollout & trustworthy devices & WHFB rollout

Trusted Device
- Context based exceptions, possibly with session controls or app protection
AND Always MFA: Only with WHFB/FIDO2 login on devices for MFA claim in PRT, this prevents MFA fatigue