Risk-based authentication is the ability to take into account the context of the authentication process, and react accordingly, by increasing the authentication challenge (second factor, email confirmation) or trigger out of band actions (email notifications, alerts..).
All the features presented on this page are not natively supported by LemonLDAP::NG but can be added through custom plugins or configuration
The authentication context can include:
- Source IP address
- Access time
- Previous authentications (history)
- Using the same browser as previous logins
Reactions can include:
- Triggering or skipping the second factor
- Sending an email to warn the user of a suspicious login
- Denying attempt if the suspicion level is too high
Implementation in LemonLDAP::NG¶
LemonLDAP::NG uses the
_riskDetails session variables to
keep track of the risk associated to the current authentication.
Detection plugins will raise or lower the risk level, and store fine-grained details in the risk details object.
Action plugins may use the risk level to trigger certain actions, and can translate the risk detail items into user-friendly messages.
Forbidding/triggering second factors¶
You can use the following activation rule to trigger second factors if the risk level is high:
$_riskLevel > 0
Or, if you use self registration:
has2f('TOTP') and $_riskLevel > 0