What is Adaptive Authentication?
Authentication is the process of verifying a user’s identity before granting them access to a particular system or location. Adaptive or risk-based authentication is a form of multi-factor authentication (MFA) where the authentication requirements depend on the situation.
What is Multi-Factor Authentication?
Multi-factor authentication requires the user to provide multiple different types of authentication factors. Often, these fall into two or more of the following categories:
- Something You Know: Passwords, PINs, security questions, etc.
- Something You Have: Smartphone, hardware security token, smartcard, etc.
- Something You Are: Fingerprints, facial recognition, iris recognition, etc.
For an authentication scheme to be MFA, it needs to use something from at least two different categories. For example, an authentication system may require the user to enter a password (something you know) and provide a one-time password (OTP) that was generated by an authenticator app on their smartphone (something you have).
How Does Adaptive Authentication Work?
Often, an MFA scheme with have set authentication requirements. For example, many websites now require users to log in with MFA in the form of a password and an OTP.
Adaptive authentication tailors the authentication requirements to the situation. These are selected based on risk, which can be determined based on a few factors, including:
- Requested Action: A system may require additional authentication factors for higher-risk activities than lower-risk ones. For example, a website may only require the user to provide a password to access their account but requires a second factor (such as an OTP) before the user can perform certain actions such as changing their password or purchasing something.
- User or Device Risk: A system may require additional authentication if it seems less likely that the user is who they claim to be. For example, a user logging in from a known device might have fewer authentication steps than one using an unknown device. Device risk may also be evaluated based on whether the device is up-to-date on its security updates or has a corporate antivirus installed and running.
- Anomalous Requests: Anomalies in the request may result in additional authentication steps. For example, a login outside of business hours or a login attempt from a different country may have higher authentication requirements than a more normal request.
Why Use Adaptive Authentication?
The main benefit of adaptive authentication is that it enables an organization or application to balance usability and security. In general, as a system requires more authentication factors, the user experience degrades while security improves.
With adaptive authentication, the system can tailor the authentication experience and requirements to the unique situation. For common, low-risk requests, the user can perform minimal authentication because the potential threat to the account owner and the organization is minimal. However, if the organization has reason to believe that the request is suspicious or if it has the potential to cause significant damage, then additional authentication requirements are logical and justified.
Adaptive authentication tailors authentication requirements to the unique situation and the potential risk it poses to the organization. This helps an organization achieve a better balance of security and the user experience than a more static authentication process.