Login Conditions for Login Policies
You can configure an authentication method for each of the following elements.
Authentication methods can be configured for both trusted networks and non-trusted networks.
| Option | Description |
|---|---|
| First Element | Select the first authentication method. |
| Second Element | Select an authentication method after having successfully authenticated the first element. If not selecting, login will be successful only upon authentication of the first element. |
| Third Element | Select an authentication method after having successfully authenticated the second element. If not selecting, login will be successful when authentication of the second element is complete. |
[ Reference ]
If multiple authentication methods have been selected for the first or second element, the user can select which of the authentication methods to be used for login.
Refer to "When the Authentication Method Selection Screen Appears" in "IIJ ID Service Manual [For Users]" for more information.
The authentication methods that can be selected with the login rule are as follows.
| Option | Description | Comments |
|---|---|---|
| FIDO2 | Authentication is performed using a device supporting FIDO2 (for example, a security key such as Security Key by Yubico and Windows Hello). You can set it for the first element or second element. | Requires subscription to the Multi-Factor Authentication Option. |
| Password | Authentication is performed using the password registered with IIJ ID. You can set it only for the first element. | |
| Upstream ID provider (Upstream IdP) | Authentication is performed using the upstream ID provider. | Requires a contract for the Premium Federation Option or Integrated Windows Authentication. The upstream ID provider(s) must also be registered. Refer to "Adding Upstream ID Providers" for more information. |
| Email one-time password (Email OTP) | Authentication is performed using the one-time password that is sent to the notification email address. You can set it for the first or second element. | Requires subscription to the Multi-Factor Authentication Option. |
| Device certificate | Authentication is performed using the key pair (certificate and private key) of the device certificate. You can set it for the second or third element. | Requires subscription to the Multi-Factor Authentication Option. |
| SmartKey | Authentication is performed using the IIJ SmartKey application. You can set it for the second element only. | Requires subscription to the Multi-Factor Authentication Option. |
When you configure FIDO2 as the authentication method, the following options can be set in addition.
| Option | Description | Comments |
|---|---|---|
| Allow security key registration at login | You can display the registration screen for security keys at the time of FIDO2 authentication. (You cannot display it if you have already reached the maximum number of registered security keys.) We recommend temporary use of this option, such as enabling this option only until the initial login of a new user is completed. (Using this option for a long period of time will increase risk of registering malicious attackers’ security keys.) | Requires subscription to the Multi-Factor Authentication Option. |
Require the user verification feature using security keys | Makes checking of the security key by a user verification feature (PIN, fingerprint authentication, etc.) mandatory. Security keys that do not support the user verification feature will no longer be used. | Requires subscription to the Multi-Factor Authentication Option. |
When you configure a device certificate as the authentication method, the following options can be set in addition.
| Option | Description | Comments |
|---|---|---|
| Allow device registration at login (only when IIJ ID Service CA is used) | The device registration screen is displayed when a device that does not have a key pair for the device certificate attempts to log in. (You cannot display it if you have already reached the maximum number of registered devices.) We recommend temporary use of this option, such as enabling this option only until the initial login of a new user is completed. (Using this option for a long period of time will increase risk of registering malicious attackers’ security keys.) | Requires subscription to the Multi-Factor Authentication Option. |
The following options can be selected for the login rule for non-trusted networks.
| Option | Description |
|---|---|
| Do not allow login | Do not allow login When you select "Do not allow login," you cannot configure authentication methods. |
| Allow login | You can log in using any of the authentication methods. When you allow login, you need to configure the authentication methods. |