Imagine if all of your employees had to go through two-step verification every time they opened their company email. That would be pretty inconvenient, not to mention unnecessary. You may, however, appreciate this level of security for your contractors, since they often work offsite or from their own machines.

Fortunately, many software providers allow for multiple authentication policies across an organization, which lets you tightly guard some user accounts without creating obstacles for others. Let’s take a closer look at the types of authentication available, and when it makes sense to go with more than one.

What is an authentication policy?

Scale administration with the right identity management approach

An authentication policy dictates which authentication settings a user must pass to access an application. The purpose of the policy is to protect the organization against a security breach by verifying that each user is who they claim to be.

Most authentication settings relate to logging into an application or product suite. Popular login settings include:

  • Single sign-on (SSO), which allows users to log into and access a full suite of products, such as Atlassian cloud, using your organization’s identity provider.
  • Multi-step verification, which adds a second or third login step to keep user accounts secure even if their password is compromised. Two-factor authentication typically requires a password and a token. Three-factor authentication typically requires a password, a token, and a biometric.
  • Username and password requirements, which typically mandate the minimum strength of password and/or set password expiration dates.
  • Tokens, which are pieces of data that are used as a sort of ticket to entry and are only valid for a specific duration of time. Tokens often come in the form of four- to eight-digit codes and are granted to users after they submit a request and confirm their identity. Often, users confirm their identity by answering a prompt on their mobile phone.
  • Biometrics, which use a person’s unique biological characteristics to verify their identity. The most common biological characteristics are fingerprint scanners and facial recognition, both of which are already used ubiquitously on mobile phones. Eye scanners and voice recognition are also fairly popular, and gait and vein recognition are starting to gain traction, too.

In addition to these log-in types, organizations can set up risk-based authentication. Have you ever typed your password incorrectly a few times in a row and then been required to prove your identity through an email or text prompt? That’s risk-based authentication in action. The application detects potential risk, then prompts you to provide additional authentication to protect against that risk.

Session duration is another type of authentication setting determined by user behavior. If a user has been idle for a pre-determined amount of time, the application will automatically log that user out. IT teams typically define and set session durations to prevent data breaches when an employee steps away from their machine but forgets to log out.

The benefits of multiple authentication policies

How to implement an Atlassian cloud IAM strategy

With just one authentication policy for an entire organization, you risk slowing your teams down where authentication is needlessly cumbersome, or compromising your data where authentication is too lean. Thus, administrators may want to establish varying authentication policies for different sets of users and configurations.

Organizations commonly assign different authentication policies for full-time employees, contractors, and outside partners. Some even assign policies by team. HR or members of the C-suite, for example, may have shorter session durations. Because they have access to sensitive data, it’s especially important that no one can access their systems should they abruptly need to step away from their desk or log in from an unfamiliar device.

With just one authentication policy for an entire organization, you risk slowing your teams down where authentication is needlessly cumbersome, or compromising your data where authentication is too lean.

Another reason to set multiple authentication policies is to test authentication setting functionality. Say your organization was adopting two-factor authentication, for example, but wanted to test drive the added layer of security and identify any potential productivity issues. Multiple authentication policies would allow you to create a test policy for a small group of users before rolling it out to the entire organization, minimizing the potential for disruption.

Secure your cloud applications without slowing down your teams

Authentication policies protect your organization against data breaches, but they don’t have to be one-size-fits-all.

Atlassian Access gives you the flexibility to set up multiple authentication policies across Atlassian cloud products so you can ensure each of your users has the appropriate level of security built into their work tools.

Want to learn more about how authentication policies work in Atlassian Access? Click below to take a look at our product guide.

No download necessary

Authentication policies shouldn’t be one-size fits all