Add conditional authentication

# Add conditional authentication

With conditional authentication, the login flow in an application is dependent on the risk factors associated with the user's login request. This allows you to strengthen the authentication flow when the risk is higher. In Asgardeo, conditional authentication is configured using a script.

what is conditional authentication

# Authentication script

The authentication script for configuring dynamic authentication flows in Asgardeo uses a functional language similar to Javascript. You can configure the script using the script editor in the Asgardeo Console. You can either use a template or write a custom script.

This scripting language supports a set of inbuilt functions and objects. A simple conditional authentication script will look like the following:

var onLoginRequest = function(context) {
    // Some possible initializations...
        if (doStepUp(context) === true) { 

function doStepUp(context) {
    // A function that decides whether to enforce second step based on the request context.
    return true;

Find out more about the scripting language in the Conditional Authentication API Reference.

# Script templates

The script editor in Asgardeo comes with a set of predefined templates to get you started with some of the most common conditional authentication scenarios. These scripts contain inline comments explaining the conditions that are applied.


The available templates are categorized as follows:

  • Access Control - These templates restrict user login to the application based on specified conditions.
  • Adaptive MFA - These templates prompt two-factor authentication for login attempts based on specific conditions.

The pre-defined templates are listed below.

Template Description
User-Age-Based This configures a login flow where users can log in only if their age is over the configured value. The user's age is calculated using the date of birth attribute.
Group-Based (Access Control) This login flow allows login only for users who belong to any of the given set of groups
Sign-In-Option-Based This login flow prompts two-factor authentication (2FA) only for users who are signing in with a given option.
New-Device-Based This login flow sends an email notification and/or prompts two-factor authentication for users who are logged in from a previously unused device.
Group-Based (Adaptive MFA) This login flow prompts two-factor authentication (2FA) for users who belong to any of the given set of groups.
IP-Based This login flow prompts two-factor authentication for users who log in from outside the given IP range.

If required, you can also use the script editor to introduce new functions and fields to an authentication script based on your requirement. See the instructions on writing a custom authentication script.

# What's next