Knogin
[Developers]

Auth: Zero Trust & Adaptive MFA Gateway

An intelligence analyst working remotely from an unfamiliar network attempts to access a sensitive operational workspace. Rather than blocking the session outright or silently permitting it, the gateway evaluates the ful

Back to All Modules
Category: ModulesLast Updated: May 26, 2026
modulescompliance

Overview#

An intelligence analyst working remotely from an unfamiliar network attempts to access a sensitive operational workspace. Rather than blocking the session outright or silently permitting it, the gateway evaluates the full authentication context: the device posture, network reputation, geographic location, and the analyst's typical access patterns. Because the risk score exceeds the baseline threshold for that resource, the system transparently prompts for a second factor before granting access, without disrupting lower-risk sessions elsewhere in the same organisation. The result is continuous, proportionate enforcement rather than a single perimeter check at login.

The Zero Trust Adaptive MFA Gateway operates on the principle that no session, user, or device is inherently trusted, regardless of network position. Every access request is scored in real time against a configurable risk policy. Step-up authentication is triggered only when the computed risk warrants it, balancing security rigour against operator experience. Organisations gain granular visibility into authentication events, device health signals, and policy outcomes through an integrated audit trail that satisfies both internal governance requirements and external regulatory obligations.

Key Features#

  • Continuous risk evaluation: Every request is scored against contextual signals including geolocation, network reputation, device health, and session behaviour, ensuring authentication assurance is maintained throughout the session rather than only at login.
  • Dynamic step-up MFA: Step-up challenges are issued only when risk exceeds the policy threshold for a given resource, reducing friction for routine access while enforcing stronger verification for sensitive operations.
  • Multiple second factors: Supports time-based one-time passwords (TOTP), hardware security keys via WebAuthn, push notifications, and SMS or email one-time codes, allowing organisations to select factors appropriate to their operational context.
  • Device posture validation: Device health signals, including patch level, screen-lock status, and certificate presence, are evaluated as inputs to the risk score, enabling policy decisions that account for endpoint compliance.
  • Federated identity integration: Connects to any standards-compliant identity provider via SAML 2.0 or OpenID Connect, meaning existing directory infrastructure does not need to be replaced or duplicated.
  • Behavioural baseline learning: The platform builds per-user access baselines over time, allowing anomaly signals such as unusual access hours or atypical resource patterns to increase the risk score without requiring manual rule authoring.
  • Granular policy controls: Administrators configure risk thresholds, required assurance levels, and exemptions at the organisation, role, and resource level, supporting least-privilege access without a one-size-fits-all policy.
  • Immutable audit trail: Every authentication decision, step-up event, and policy override is logged with actor identity, resource, risk score, assurance level, and timestamp, satisfying regulatory audit requirements.

Use Cases#

  • High-risk access challenge: When an operator's session risk exceeds the threshold for a privileged resource, such as an administrative console or classified workspace, the gateway issues a step-up challenge before permitting access.
  • Remote and mobile workforce: Field operators connecting from public or unfamiliar networks receive proportionate challenges based on network risk without blanket denial, maintaining operational continuity.
  • Privileged administrative actions: Bulk configuration changes, user provisioning, and security policy edits are gated behind elevated assurance, reducing the blast radius of a compromised administrative session.
  • Cross-organisational federated access: Partner agencies or coalition members authenticating via their own identity provider are assessed through the same risk policy, with assurance levels mapped to the resource sensitivity of the shared workspace.
  • Regulatory compliance enforcement: Organisations subject to NIS2, eIDAS, or national identity assurance frameworks can configure required assurance levels per resource class, with the audit trail providing evidence of compliance for inspections.

Integration#

The gateway integrates with any SAML 2.0 or OpenID Connect identity provider, including Microsoft Entra ID, Okta, and Keycloak, requiring no changes to existing directory infrastructure. Device posture signals can be ingested from endpoint management platforms, and authentication events are exported to SIEM platforms via standard syslog or webhook streams. Existing applications integrate through standard OAuth 2.0 token flows, with the gateway acting as a transparent policy enforcement point that enriches tokens with assurance level claims consumed downstream.

Open Standards#

  • OpenID Connect (OIDC) / OAuth 2.0 (RFC 6749, RFC 6750): The gateway issues and validates access tokens using OIDC for identity assertions and OAuth 2.0 for delegated authorisation, enabling integration with any conformant identity provider or application.
  • SAML 2.0 (OASIS): Full support for SAML 2.0 authentication assertions allows federating with enterprise identity providers that do not support OIDC, including many government and defence directory systems.
  • WebAuthn / FIDO2 (W3C): Hardware security key and platform authenticator factors are implemented using the W3C Web Authentication specification, providing phishing-resistant second-factor options aligned with NIST AAL3 requirements.
  • TOTP (RFC 6238): Time-based one-time password generation follows RFC 6238, ensuring compatibility with standard authenticator applications and hardware tokens from any vendor.
  • NIST SP 800-63B (Digital Identity Guidelines): Authentication assurance levels and step-up policies are designed to map to NIST AAL1, AAL2, and AAL3 requirements, supporting organisations that must demonstrate compliance with identity assurance frameworks.
  • eIDAS Regulation (EU 910/2014): Assurance levels and cross-border federated identity flows are aligned with the eIDAS substantial and high assurance tiers, supporting deployments that span EU member states.
  • RFC 7519 (JSON Web Token): Session and identity claims are conveyed as JWTs, with assurance level and authentication method claims carried as standard registered or private claim names consumable by downstream services.
  • ETSI TS 119 461 (Identity Proofing): Remote identity proofing processes for onboarding new operator accounts are aligned with ETSI TS 119 461 requirements relevant to qualified trust service providers.

Availability#

  • Enterprise Plan: Included
  • Professional Plan: Available with adaptive risk scoring; behavioural baseline learning and advanced device posture evaluation require an Enterprise licence upgrade.

Last Reviewed: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.