You want to configure an authentication mechanism or an additional authentication mechanism based on the type of the device.
You can configure risk-based authentication in this scenario by using Risk-based Pre-Auth Class. You can create a risk rule to choose an authentication mechanism or an additional authentication mechanism based on the type of device used by a user.
For example, if a user is logging in from a mobile device, you can prompt the user to provide an additional authentication such as SMS or One-Time Password based authentication after the user is authenticated.
You can define an HTTP Header rule by using a user-agent property such as Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0) to verify whether the request is from a mobile.
Configuration Steps:
Click Risk-based Policies > Rules.
Specify a name for the rule.
Select HTTP Header Rule.
Specify HTTP Header Name as User-Agent.
Select Contains in HTTP Header Value and specify Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0).
NOTE:You must configure NAT settings for this rule to work. See Configuring NAT Settings.
Click OK.
Assign the rule to a risk-policy and follow steps Step 7 to Step 9.