Skip to content

Add conditional authentication

With conditional authentication, the login flow in an application is dependent on the risk factors associated with the user's login request. This allows you to strengthen the authentication flow when the risk is higher. In Asgardeo, conditional authentication is configured using a script.

what is conditional authentication

Authentication script

The authentication script for configuring dynamic authentication flows in Asgardeo uses a functional language similar to Javascript. You can configure the script using the script editor in the Asgardeo Console. You can either use a template or write a custom script.

This scripting language supports a set of inbuilt functions and objects. A simple conditional authentication script will look like the following:

var onLoginRequest = function(context) {
    // Some possible initializations...
    executeStep(1);
        if (doStepUp(context) === true) { 
            executeStep(2);
        }
};

function doStepUp(context) {
    // A function that decides whether to enforce second step based on the request context.
    return true;
}

Note

Find out more about the scripting language in the Conditional Authentication API Reference.

Script templates

The script editor in Asgardeo comes with a set of predefined templates to get you started with some of the most common conditional authentication scenarios. These scripts contain inline comments explaining the conditions that are applied.

conditional-auth-templates-view

The available templates are categorized as follows:

  • Access Control - These templates restrict user login to the application based on specified conditions.
  • Adaptive MFA - These templates prompt two-factor authentication for login attempts based on specific conditions.
  • Passkey Enrollment - These templates allows users to progressively enroll with passkey authenticator.

The pre-defined templates are listed below.

Template Description
User-Age-Based This configures a login flow where users can log in only if their age is over the configured value. The user's age is calculated using the date of birth attribute.
Group-Based (Access Control) This login flow allows login only for users who belong to any of the given set of groups
Session Based This login flow allows login only for users who have less than the configured number of concurrent sessions.
Sign-In-Option-Based This login flow prompts two-factor authentication (2FA) only for users who are signing in with a given option.
New-Device-Based This login flow sends an email notification and/or prompts two-factor authentication for users who are logged in from a previously unused device.
Group-Based (Adaptive MFA) This login flow prompts two-factor authentication (2FA) for users who belong to any of the given set of groups.
IP-Based This login flow prompts two-factor authentication for users who log in from outside the given IP range.
Passkey-Progressive-Enrollment-Based This login flow allows users to progressively enroll with passkey authenticator.

If required, you can also use the script editor to introduce new functions and fields to an authentication script based on your requirement. See the instructions on writing a custom authentication script.

What's next