Skip to main content

Policy Configuration

Policies control how Humifortis scores risk and triggers adaptive authentication actions. The system evaluates every login event in real time, computes a 0–100 risk score, and enforces the configured playbook rule (Allow / Require MFA / Block).

Adaptive authentication

Enforcement is always proportional to current risk. A user on a known device at a normal hour gets a frictionless Allow. The same user appearing from a new country at 2 AM via a Tor exit node gets blocked — automatically, without manual intervention.


Policy Components

1. Global Sensitivity

A master multiplier applied uniformly to every risk signal before scoring. This does not change individual signal weights; it scales the entire engine proportionally.

LevelMultiplierPostureRecommended for
Low×0.7PermissiveLow-risk environments, initial rollout
Medium×1.0BalancedMost production deployments
High×1.3AggressiveRegulated industries
Very High×1.6MaximumZero-trust / active incident response

Changes take effect on the next authentication event — no restart required.


2. Risk Thresholds

Define the score boundaries between risk levels. Enforcement actions are triggered when a score crosses a threshold.

LevelDefault RangeTypical enforcement
Minimal0–20Allow
Low20–40Allow with monitoring
Medium40–60Allow or soft MFA challenge
High60–80Require MFA
Critical80–100Block or lock account

Configure exact boundaries in Policies → Thresholds.


3. Signal Rules

Custom signal weight overrides. Each signal has a base deltaRisk value. Rules let you amplify or suppress specific signals without touching the engine config.

Configured in Policies → Signal Rules.


4. Derived Signals

Engine-computed signals that combine base events with temporal patterns, velocity analysis, and contextual enrichment. These are the core of the adaptive authentication engine.

Key signals to know:

SignalTypeΔRiskWhat it detects
AUTH_BRUTE_FORCEvelocity+155+ failed logins in 60s
CREDENTIAL_STRIPPINGsequence+55MFA deleted after credential update — near-deterministic ATO
ATO_CONSOLIDATIONsequence+40Email changed within 5 min of login — account takeover
MFA_FATIGUE_PATTERNvelocity+20Push denial storm
AUTH_DEVICE_COUNTRY_MISMATCHsequence+15Known device from new country
BROWSER_TOKEN_TRUSTEDsequence−20Recognised device trust token (reduces risk)

5. Enforcement Mode

Controls whether playbook actions are actually applied to users.

ModeEffect
EnforcePlaybook actions fully applied (block, MFA, lock)
Dry-RunRisk scores computed — no action taken on users. Use for onboarding.
ShadowRisk + webhooks fire for SOC visibility — users never blocked.
warning

Dry-Run and Shadow modes do NOT protect users. Set to Enforce in production.


Playbook Rules

The Playbook is the enforcement logic on top of Policy. Each rule maps a risk level or derived signal to an action.

- name: "block critical risk"
priority: 100
risk_levels: ["CRITICAL"]
actions: ["DENY"]

- name: "MFA for ATO consolidation signal"
priority: 90
derived_signals: ["ATO_CONSOLIDATION", "CREDENTIAL_STRIPPING"]
actions: ["REQUIRE_MFA"]

- name: "bypass trusted device"
priority: 80
derived_signals: ["BROWSER_TOKEN_TRUSTED"]
actions: ["ALLOW"]

Rules are evaluated in descending priority order — first match wins. Changes hot-reload immediately — no server restart required.


Keycloak Connector Integration

The Keycloak connector calls POST /evaluate on every login event and receives the playbook decision:

  • ALLOW → login proceeds normally
  • CHALLENGE_MFA → Keycloak prompts the configured MFA method
  • BLOCK / LOCK_ACCOUNT → Keycloak shows the configured error page

Humifortis decides whether to challenge; Keycloak decides how.


Best Practices

Start in Dry-Run, then switch to Enforce. Deploy in Dry-Run for 1–2 weeks. Review the risk score distribution in the Dashboard and Rule Telemetry. Switch to Enforce once you're confident in the baseline.

Tune thresholds for your user base. A security-sensitive environment (banking, healthcare) should use High or Very High sensitivity. A developer tools product may start with Low.

Add signal weight overrides sparingly. The defaults are calibrated for most environments. Override individual signals only when you have evidence that the default weights are causing too many false positives or false negatives.


See Also