Log in to OAAM Admin with environment administrator privileges.

9-20 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager 6. Stanley is challenged because four users are logging in from the same device within 8 hours. The risk score is 500 Rule Score is 1000, Weight is 100, Scoring Engine is Average, causing a KBA challenge.

9.6.6 Use Case 6: Unregistered High Risk User Risk Score Above 500

A high risk login by an unregistered user is not be permitted to register. 1. High risk user, Henry, logs in to OAAM Server with an invalid password four times. 2. High risk user, Henry, logs in to OAAM Server with the correct password. 3. The user is locked since the risk score is 600 because of the invalid login attempts and the user is not registered.

9.6.7 Use Case 7: Registered High Risk User Risk Score Above 500

A registered user logs in under a high risk situation and an OTP challenge to occur. 1. Stanley logs in to OAAM Server with the correct password. 2. He is OTP SMS challenged since his risk score is up to 600 because of the invalid login attempts.

9.6.8 Use Case 8: Register High Risk Lockout

A user who has failed too many challenges can have their failure attempts reset by customer service. In this scenario, a user is locked out by failing to correctly answer a challenge. The CSR must unlock the user, allowing him to log in. The user logs in and is challenged again. 1. Stanley logs in to OAAM Server with the correct password 2. He is OTP SMS challenged and types in an incorrect challenge value three times. 3. He is asked to answer KBA challenge. 4. He incorrectly answers KBA three times. 5. He is blocked. 6. He attempts to log in again but remains blocked. 7. The CSR who has logged in to OAAM Admin with CSR privileges, creates a case for Stanley. 8. She unlocks OTP for him. 9. Stanley logs in to OAAM Server with the correct password. 10. He is challenged via OTP.

9.6.9 Use Case 9: High Risk Exclusion

If a user is unable to use OTP, he can be added to an exclusion group to prevent the high risk challenge from occurring. 1. The Security Administrator logs in to OAAM Admin. 2. He adds Stanley to the High Risk Exclusion user group. 3. He modifies the OAAM Challenge Policy Check for High Risk Score rule to use High Risk Exclusion as the Excluded User Group in Pre-Conditions. Setting Up OTP Anywhere 9-21 4. Stanley logs in to OAAM Server. 5. He is KBA challenged instead of OTP challenged even though he has a high risk score.

9.6.10 Use Case 10: OTP Challenge with Multi-Bucket Patterns

User: IP is a multi-bucket pattern that creates a bucket for each IP used by a user. It enables evaluations such as the following: if Jen falls into an IP bucket that is less than 30 of all application users falling into that bucket, then OTP challenge her. 1. The Security Administrator logs in to OAAM Admin. 2. He creates a multi-bucket pattern for the member type user with an operator, For each and attribute IP. 3. He confirms a policy which contains a rule with the following conditions- Has this user logged in at least twice in the last 3 months, Compare User Entity with all entities in picture 30, and Has this user OTP registered. 4. Jen logs in the OAM Server 5. She performs OTP registration 6. She logs in 2 more times from the same IP. 7. For her 4th login, she logs in from a different IP. 8. The rule triggers. 9. At a different IP, she logs in again. 10. The rule triggers again.