Introduction
Multifactor authentication helps increase your security posture within HelloID. It is configured using Portal Access Rules. This article will walk you through an example scenario in which the organization considers logins from the local network as safe, but wants other logins to face additional challenge.
Define the desired behavior
Consider the login options available to the organization. Are there multiple IdPs available? What are the work habits of your users? Is there a reasonable need for access off-site or off-hours?
Our example scenario will cover three access levels:
- General use
A "normal" onsite user - Sensitive access
Onsite users who have access to privileged resources - Offsite
Anyone accessing HelloID from an uncontrolled environment
Implement the policies
Go to Security > Policies > Portal Access Rules and select the Add access rule button.
Configure the 'General use' example
| Tab | Setting |
| Perform Action | Permit Access |
| When Accessing | Relevant IdP |
| From Network |
Select "IP Restriction for these IP ranges" Enter the public IP address(es) of the organization |
| Rule Name | Enter a name or accept the suggestion |
Note: Before enabling this, or any other, access rule, double check the settings and ensure that administrative accounts will retain access after the application of the rule. Consider creating a "break-the-glass" local account for emergency use.
Configure the 'Sensitive access' example
Create a new policy with the above settings and these additions:
| Tab | Setting |
| By People | Select group(s) with sensitive application access |
| Two-Factor | Enable |
Learn more about available 2FA options.
Configure the 'Offsite' example
This policy is both a blend and an inversion of the previous two. Create a new policy and set these options:
| Tab | Setting |
| Perform Action | Permit Access |
| When Accessing | Relevant IdP |
| From Network |
Select "Apply this rule on all IP ranges except" Enter the public IP address(es) of the organization |
| By People |
Leave blank or select an 'All Users' type of group |
| Two-Factor |
Enable & configure as desired |
| Rule Name | Enter a name or accept the suggestion |
Summary
We now have three unique portal access policies that improve security and provide accommodations for different access levels. By creating multiple portal access rules that allow or deny individual conditions and setting rule priorities, you can implement nearly any scenario needed.