How Do Conditional Access Systems Work?

What is conditional access?

Your organisation’s applications and resources are being accessed daily by employees located in hundreds of different locations. At the same time, hackers and other cyber criminals are looking for ways to access your sensitive data themselves, trying to exploit gaps in your authentication process.

Conditional access is one of the most powerful ways you can protect your end users and data in today’s dynamic work environment. A conditional access system gives system administrators fine-grained control over the degree of access people have to your software, based on the context in which they’re attempting to sign in.

Different conditions of access can be set based on how risky the login attempt appears to be. If the user logging in is doing so, for example, from a trusted device on company premises, they may meet the conditions for being ‘low risk’ and only need to verify their identity with passwordless authentication. 

On the other hand, if the user is attempting to gain access from a new device and a suspicious IP address, you can prompt for multi-factor authentication, a stronger security factor like WebAuthn, or even block access altogether.

Businesses use conditional access to gain more control over who is able to access their resources and sensitive information. By defining how people can access that data in different contexts, you create a highly secure system that doesn’t impact the experience of trusted users.

How does a conditional access system work?

So how do conditional access systems give you this fine-tuned control? In a nutshell, conditional access systems work by taking stock of the different contextual data signals received during a login attempt, and deciding what level of access to grant based on pre-set conditions.

There are a range of different signals that can be taken into account, for example the user’s:

  • Location information - Where is the user logging in from, is it a place they wouldn’t usually be found?
  • Role - Users with access to confidential content may always require a higher degree of authentication
  • IP address and network - Are they trying to gain access from a suspicious IP address?
  • Device - Is this a new device, or one that’s been used to sign in on before?
  • Browser - Is this a known and trusted browser? Or has it been prohibited by the organisation for being a security risk?
  • Operating System (OS)

Based on these signals the risk of each login attempt is assessed, and based on your conditional access policies a range of responses can be given. These responses range from granting access with the minimal level of authentication required, to blocking access entirely. 

What makes conditional access truly valuable is that there are plenty of responses that fit in-between those two extremes too. You can grant limited access to slight risky sign in attempts, require the user to complete some degree of authentication like MFA or WebAuthn to gain access, or get them to reset their password before proceeding. Your access policies determine the level of risk: the level of risk determines how the system and your users respond.

What should you include in your conditional access policy?

Which factors are considered, and the level of access given, is all automated by the conditional access system, and set by the organisation using it. They do so by creating a series of conditional access policies: a set of ‘if-then’ statements that set the conditions of entry for their applications.

For example, you might choose to require that if the user signing in has the role of system administrator, then they need to complete multi-factor authentication to get access. If that user is currently located in the United States even though your organisation doesn’t operate there, then they must complete an even stronger factor like FIDO2.0. Or you could block access completely, with the provision that if the login attempt is coming from a trusted device, then the user can go ahead with authentication.

As you can see, your organisation can set conditional access policies that cover as many cases as you need to maintain security in all situations. Meeting the conditions set can be the reason for being given, or for being barred from gaining, access to your corporate systems.

Does my organisation need conditional access?

85% of employees working from home want to embrace a hybrid work environment. 50 of the biggest UK employers aren’t planning a return to the office. The concepts of remote work and work from home are becoming entrenched in the UK corporate scene. The workforce expects the opportunity to work in locations and at times that suit them best to maximise productivity.

With a conditional access system, your organisation will be able to:

  • Increase security universally, as data and user accounts are protected based on location, risk, and other contextual factors
  • Let employees work from any location safely
  • Improve UX by only requiring extra verification from medium- and high-risk login attempts
  • Demonstrate compliance with data and security regulations
  • Enable partners and third-party users to access just the resources they need from your network without leaving gaps in network for exploitation

In this increasingly digital world, businesses need to strike a balance between providing employees with an engaging user experience from anywhere, and maintaining a strong security posture that doesn’t allow bad actors to slip through any cracks. That’s where conditional access systems come in.

Authentication software like SSO and MFA make logging in more secure for everyone, but at times can frustrate users who go through the same process daily. With conditional access’ risk assessment you can grant easier access to trusted individuals automatically, while making sure that more suspicious logins require additional authentication.

Which conditional access provider is right for your business?

There are several options on the market for conditional access systems, but many are limited by only being able to enforce SSO and MFA across a limited range of applications. 

By contrast, Okta Adaptive MFA integrates with all platforms and apps, so you can apply your conditional access policies across the board. Empower your users at each step of the authentication process, pairing risk levels with appropriate access decisions for every unique situation. 

If you’re ready to protect your workforce and resources from malicious actors with a conditional access system, you can get started with a free trial of Okta for your workforce today.