Multi-Factor Interactive User Login Use Case
Multi-Factor Interactive User Login Use Case
We define Interactive User as a human physically interacting with the browser. We do not mean non-interactive methods of login such as SPNEGO, et al (though those are considered along with username/password for this use case)
Actors
- User
- System
Pre-Conditions
- System is configured to process multiple forms of credentials simultaneously
- System has policies configured for various multi-factor scenarios
- System may have configured policy for service
- System has a default policy for when none are configured for a particular service
- User is attempting to access a particular service
Flow
- User attempts to access a service and is sent to the System for Authentication
- If User has previously authenticated, system attempts to grant access and checks whether existing Authentication satisfies policy. Policy types are defined under Business Rules
- If Authentication satisfies policy, user is allowed access to service
- If User has no existing session or existing session does not satisfy policy, user is notified of credentials that will satisfy policy
- User Credentials are authenticated and confirmed to meet policy requirements
- If authentication fails, user is required to provide credentials again to be validated.
Post-Conditions
- On Successful Authentication, user is redirected back to service. Successful Authentication means the credentials were valid AND the policy was satisfied.
Business Rules
- Policy are defined as the following:
- A Particular Form of Authentication is Required
- A Particular Set of Authentications is Required (Ordered or Unordered)
- A Particular Level Must be Met (while policies may be configured per service, level definitions are global)
- A Particular Group Must be Satisfied (i.e. X or more from Authn A, B,C)
- Custom Logic
- Any
Non-Functional Requirements
- None