Configure Adaptive Authentication with Device Restriction?

• Choose Self Registration by User.



• Configure the following options:
• Number of Device Registrations Allowed: Specifies the maximum number of devices a user can register.
• Enable Mobile Device Restriction: Blocks login attempts from mobile devices.
• Enable Device Auto-Registration: Allows automatic device registration.

Configure Risk Engine for Device Trust Evaluation

The Risk Engine allows you to evaluate device trustworthiness by analyzing multiple device attributes and calculating a risk score. Based on this score, user access is allowed, challenged, or denied during login and device registration.

• Navigate to the Risk Engine section and click Configure.



• The Risk Engine Configuration window opens with two tabs:
• Risk Parameters
• Risk Score

• Configure Risk Parameters:
• In the Risk Parameters tab, review the list of device attributes grouped by category.
• The Device Identifiers category contains mandatory attributes (such as Installation ID, BIOS UUID, Machine SID, etc.). These attributes are always enabled and cannot be disabled or reprioritized, as they are critical for device fingerprinting.
• For other categories (Hardware, Network, Software, Location), enable the attributes you want to use for device trust evaluation.
• Set a Priority for each enabled attribute:
• High: Strong impact on risk score
• Medium: Moderate impact
• Low: Minimal impact



• Click Next to proceed.
• Configure Risk Score Thresholds:
• In the Risk Score tab, define the score ranges (0–100) that determine the authentication outcome during user login.
• Lower risk scores indicate trusted devices.
• Higher risk scores indicate potential security risks or anomalies.
• Configure the thresholds as follows:
• Allow: Allow user to authenticate without challenge and registration.
• Challenge: Allow user authentication with a challenge, e.g., when the device limit is exceeded.
• Deny: Deny user authentication, e.g., when the device limit is exceeded, when device attribute is mismatch.

3. Define Action for Behavior Change

• Under Action for Behaviour Change, click Edit and choose one:





Attribute	Description
Allow	Allow user to authenticate without challenge and registration.
Challenge	Allow user authentication with a challenge, e.g., when the device limit is exceeded.
Deny	Deny user authentication, e.g., when the device limit is exceeded.



• Challenge Type Options: Set the challenge type when the Action for Behaviour is configured as Challenge.

Attribute	Description
User second Factor	The User needs to authenticate using the second factor he has opted or assigned for such as OTP over SMS PUSH Notification OTP over Email And 12 more methods.
KBA (Knowledge-based authentication)	The System will ask user for 2 of 3 questions he has configured in his Self Service Console. Only after right answer to the questions user is allowed to proceed further.
OTP over Alternate Email	User will receive a OTP on the alternate email he has configured threw Self Service Console. Once user provides the correct OTP he is allowed to proceed further.



• Click Save to apply the Adaptive Policy.

4. Assign the Adaptive Policy to an Application

The policy will take effect only after it is associated with a specific application login flow.

• Go to Policies >> App Login Policy from the left navigation section.
• Assign the newly created adaptive policy to the Application Login Policy by clicking on the edit icon next to the required listed application.
• Enable Device Restriction under Adaptive Authentication.



• Click Submit.

5. User Device Registration

Applies when a user is registering a device for the first time.

• Visit your branding Url of miniorange for e.g., https://<domain_name>.xecurify.com/moas/login
• Enter your Username.



• Enter Password.



• If the Action for Behaviour is set to Deny or Challenge, the user is prompted with the configured challenge type along with an option to register the user device profile.

Note:

If Auto-Registration is enabled and Action for Behaviour Change is set to Deny or Challenge, the device is registered automatically after successful challenge.





• If the Action for Behaviour is set to Allow, the user is logged in to the user dashboard without any registration or challenge prompt.

6. Device Management

After a user completes the registration flow, their registered devices appear in the Trusted Devices section of the customer admin account.

• Navigate to Devices >> Trusted Devices from the left navigation.
• The Device Management page contains two tabs: Devices and Audit.



• Device Registration Details.



• Click on User Identifier.

  All configured device attributes associated with the selected user are displayed on this page.




• Switch to Audit tab.

  User device audit details are displayed here.

7. User Login Experience

Defines how users are authenticated and what they experience during login.

• Visit your branding Url of miniorange for e.g., https://<domain_name>.xecurify.com/moas/login
• Enter your Username.



• Enter Password.



• User is logged in to the user dashboard.
• Switch to the Audit tab to view device-related audit logs.



• Click Profile Match to review the device attribute comparison.
• If no mismatched attributes are detected, the page indicates that the device profile matches.
• If mismatched attributes are found, the page displays the list of attributes that do not match.



• Click on Permit to view the overall policy decision.

• Choose Pre-Approved Trusted Devices Only.



• Upload a CSV file containing pre-approved users and devices (users must already exist in miniOrange). Download Sample CSV for reference.
• Configure the following options:
• Enable Mobile Device Restriction: Blocks login attempts from mobile devices.
• Enable Device Auto-Registration: Allows automatic device registration.

Configure Risk Engine for Device Trust Evaluation

The Risk Engine allows you to evaluate device trustworthiness by analyzing multiple device attributes and calculating a risk score. Based on this score, user access is allowed, challenged, or denied during login and device registration.

• Navigate to the Risk Engine section and click Configure.



• The Risk Engine Configuration window opens with two tabs:
• Risk Parameters
• Risk Score

• Configure Risk Parameters:
• In the Risk Parameters tab, review the list of device attributes grouped by category.
• The Device Identifiers category contains mandatory attributes (such as Installation ID, BIOS UUID, Machine SID, etc.). These attributes are always enabled and cannot be disabled or reprioritized, as they are critical for device fingerprinting.
• For other categories (Hardware, Network, Software, Location), enable the attributes you want to use for device trust evaluation.
• Set a Priority for each enabled attribute:
• High: Strong impact on risk score
• Medium: Moderate impact
• Low: Minimal impact



• Click Next to proceed.
• Configure Risk Score Thresholds:
• In the Risk Score tab, define the score ranges (0–100) that determine the authentication outcome during user login.
• Lower risk scores indicate trusted devices.
• Higher risk scores indicate potential security risks or anomalies.
• Configure the thresholds as follows:
• Allow: Grant access immediately.
• Challenge: Require additional verification.
• Deny: Block access.



• Click Save to apply the Adaptive Policy.
• Navigate to Devices >> Trusted Devices from the left navigation.
• Pre-approved user and device details are displayed after the CSV upload.

3. Assign the Adaptive Policy to an Application

The policy will take effect only after it is associated with a specific application login flow.

• Go to Policies >> App Login Policy from the left navigation section.
• Assign the newly created adaptive policy to the Application Login Policy by clicking on the edit icon next to the required listed application.
• Enable Device Restriction under Adaptive Authentication.



• Click Submit.

4. User Device Registration

Applies when a user is registering a device for the first time.

• Visit your branding Url of miniorange for e.g., https://<domain_name>.xecurify.com/moas/login
• Enter your Username.



• Enter Password.



• If the Action for Behaviour is set to Deny or Challenge, the user is prompted with the configured challenge type along with an option to register the user device profile.

Note:

If Auto-Registration is enabled and Action for Behaviour Change is set to Deny or Challenge, the device is registered automatically after successful challenge.





• If the Action for Behaviour is set to Allow, the user is logged in to the user dashboard without any registration or challenge prompt.

5. Device Management

After a user completes the registration flow, their registered devices appear in the Trusted Devices section of the customer admin account.

• Navigate to Devices >> Trusted Devices from the left navigation.
• The Device Management page contains two tabs: Devices and Audit.
• Device Registration Details.



• Click on User Identifier.
• All configured device attributes associated with the selected user are displayed on this page.



• Switch to Audit tab.

6. User Login Experience

Defines how users are authenticated and what they experience during login.

• Visit your branding Url of miniorange for e.g., https://<domain_name>.xecurify.com/moas/login
• Enter your Username.



• Enter Password.



• User is logged in to the user dashboard.
• Switch to the Audit tab to view device-related audit logs.



• Click Profile Match to review the device attribute comparison.
• If no mismatched attributes are detected, the page indicates that the device profile matches.
• If mismatched attributes are found, the page displays the list of attributes that do not match.



• Click on Permit to view the overall policy decision.