How to test adaptive MFA?

Question:

How can I get low confidence scores for the MFA assessors used in adaptive MFA?

Answer:

  • In order to trigger a low confidence score for the UntrustedIPs assessor, one can perform an interactive login through a Tor browser.

  • In order to trigger a low confidence score for the NewDevice assessor, for a returning user, one can 1) clear all browser cookies for the domain, and 2) alter their User-Agent string (ex. use a different browser than the previous login attempt, or artificially alter the value using a browser plugin). For an example, you may check this FAQ.

  • In order to trigger a low confidence score for the ImpossibleTravel assessor, for a returning user, one can perform an interactive login through a VPN service, where the VPN connection is done from different geolocation. The location needs to be far enough from the previous login attempt.

2 Likes