Adaptive Authentication: A Practical Guide

Thierry Gagnon

Passwordless-based authentication has a lot of advantages and is the underpinning of any robust cybersecurity program. While it’s far more secure than using passwords to access important information, it can be burdensome for employees to learn a new practice. 

Furthermore, a one-size-fits-all approach – where everyone is subjected to the same authentication hurdles – might be too strict for certain users and too lenient for others who have access to your most sensitive information.

The solution? Adaptive Authentication. In this guide, we’ll tell you everything you need to know about how to fine-tune your organization’s authentication system so that it works for everyone while still meeting the high cybersecurity standards your employees and customers expect and deserve. 

Let’s get into it.

What is Adaptive Authentication?
Understanding Multi-Factor Authentication

Before going into details about adaptive authentication, we have to first understand multi-factor authentication because it is integral in this security mechanism. Multi-factor authentication is a system that requires, as the name implies, two or more factors of authentication in order for a user to access a network or a resource. For example, the first step may be to use a password and then followed by the input of a code sent to an authentication application.

The Basics of Adaptive Authentication

Adaptive Authentication prompts for multi-factor authentication based on various baseline factors and fluid risk indicators, such as a users’ device IP and behavior. It goes beyond traditional static authentication methods, such as a username and password, and takes into account the context of an individual’s role to determine the appropriate level of authentication needed. The goal is to strike a balance between user convenience and security.

Balancing User Roles and Authentication

Think about it this way. An organization’s CSO is not only one of the most technically proficient individuals in the building, but they also have access to the most sensitive information – information that hackers want. On the other hand, a customer success representative might not be as computer-savvy as a CSO, nor do they have access to the same breadth and sensitivity of information as a CSO. 

It wouldn’t make sense for both individuals to have the same authentication requirements. If they did, the customer success representative would have to go through a cumbersome process to do their job, while the CSO’s process might not be secure enough. That’s where adaptive authentication comes in. 

It plays a crucial role in reducing friction for trusted users in low-risk scenarios while simultaneously providing enhanced security in high-risk scenarios. 

Scenario-Based Authentication

It recognizes that not all user interactions pose the same level of risk. For known and trusted users in low-risk situations, it allows for streamlined and simplified authentication processes. 

For example, if a user is accessing a familiar device from a known location, adaptive authentication can bypass additional authentication steps, such as requiring 2FA or biometrics. Think back to the customer success representative accessing basic customer information, from their regular office on their regular device, to do their job.  

While it conveniently eliminates some hurdles in low-risk scenarios, it also increases security in high-risk situations. When those situations arise, the adaptive system can require more strict authentication methods, such as biometrics, a physical passkey, or a seed phrase. Now consider the CSO accessing the underlying code for a business. High-risk. 

Real-Time Analysis

An adaptive authentication process carefully conducts this analysis in real-time, considering factors like the user’s location, role within an organization, device information, IP address, time of day, and past behavior to evaluate the likelihood of a threat. This enables the system to make sound decisions about the level of authentication required for each individual user interaction.

Customizability and Policy Setting

Not only are adaptive authentication solutions tailored to fit an organization’s specific requirements and security policies, but they also allow system administrators to define rules and policies based on risk metrics and the desired user experience. 

That ability to address the dual challenges of user experience and security is what makes adaptive authentication such an important pillar of a robust cybersecurity program. It’s a true win-win scenario, both minimizing friction for trusted users in low-risk situations and providing additional layers of security when needed.

How Adaptive Authentication Works

Analysis of Risk Factors

A robust implementation analyzes various risk factors to evaluate the level of risk associated with a user’s interaction. While specific implementations will vary, below are some common risk factors that are often taken into consideration:

  • User Behavior: The implementation will consider the user’s historical behavior patterns – when and why a user typically logs in. Deviations from those predictable patterns can indicate an unauthorized access attempt, triggering additional authentication requirements.
  • IP Address and Geolocation: A well-designed system compares the user’s IP address with known addresses associated with the user’s account. Changes in IP address, especially if it is associated with a different country, is considered a risk indicator.
  • Device Information: Information about the device being used, including its type, operating system, and security configurations, is also considered. Unrecognized or suspicious devices may trigger more authentication steps than a user typically experiences.
  • Time and Date: Unusual login times or dates are additional factors the system looks for. Logins during the middle of the night or on a holiday can cause more stringent authentication requirements. 
  • Multiple Failed Login Attempts: Repeated unsuccessful login attempts within a short period of time can signal a potential brute-force attack or unauthorized access attempts, leading to the need for stronger authentication measures.
  • Account History: The system may consider the user’s account history, including past security incidents or compromised credentials to assign a baseline risk level to an end-user. The bottom line is if a user exhibits poor cybersecurity hygiene or judgment in the past, they are more susceptible to mistakes moving forward.

    Adaptive Response to Risks

    Keep in mind, that this is only a sampling of risk factors that a strong adaptive authentication implementation will consider. But the good news is that when risk is detected during a legitimate login attempt, the user can still access what they need. The system simply requires an extra step or two to ensure the login attempt is legitimate.

    Here’s what that can entail. 

    • Email and SMS Notifications: Email and SMS notifications are common responses to potentially malicious attempts. When a suspicious login is detected, the system can automatically send an email or text message to the account owner. This allows the user to take immediate action, such as changing their password, verifying the login attempt, or confirming that it was unauthorized. 

    • User Access Blocking: When the system identifies a login attempt as high-risk, it can temporarily block access to the account. This prevents unauthorized access and protects sensitive information. Account owners usually need to go through additional verification steps to regain access.

    • Security Questions: Security questions are a common form of additional authentication. In response to a potentially malicious attempt, the system may prompt the user to answer predefined security questions. Correctly answering these questions helps verify the user’s identity and allows access to the account. These questions are typically entered by the user during the initial setup.

    • Push Authentication: Push authentication involves sending a notification to a registered mobile device or application when a login attempt is detected. The user can then confirm or deny the login request directly from their device. This adds an extra layer of security by requiring the physical possession of the user’s mobile device to authorize access.

    • FIDO U2F Tokens: FIDO U2F (Universal 2nd Factor) tokens are physical security keys that provide robust authentication. When a potentially unauthorized login attempt takes place, the system can require the user to insert their FIDO U2F token and authenticate it. These tokens go a long way to protect against various forms of attacks, including phishing and account takeovers.

     
    Any combination of these actions helps organizations prevent and respond to potentially malicious login attempts. They ensure that only authorized users gain access to their systems and enhance the security of their network.

Deploying Adaptive Authentication

adaptive authentication

There are several ways to implement an effective program – it all comes down to the organization’s policies, personnel, and how coveted their data is. Nearly every program includes static policies, behavioral correlation, and a combination of static and dynamic policy settings to draw from the best of both worlds and comprehensively protect an organization while making the experience as user-friendly as possible. 

Static Policies

Static policies are critical in defining risk levels for variables that typically do not change. These variables include a user’s role within an organization, the importance of the accessed resource, location, time, or day. By setting static policies, organizations can establish baseline risk levels for different scenarios. 

Consider the difference between a VP of Finance paying a large invoice and a sales associate accessing their email. With static policies, the former will require more thorough authentication measures than the latter every time. These baseline policies provide a foundation for evaluating risk and help in determining the initial authentication requirements.

Behavioral Correlation

Behavioral correlation assesses risk on a case-by-case basis. By analyzing learned user tendencies and behavioral patterns over time and by studying a user’s historical behavior, the system establishes a baseline of their typical usage patterns. When abnormal behavior is detected, the system can dynamically make the call to ramp up authentication requirements. 

If a user typically accesses their account from Montreal during normal business hours and suddenly a login attempt is detected from the Cayman Islands in the middle of the night, the system can take swift action to ensure the login attempt is legitimate – and block it if it’s not. 

Combination of Static and Dynamic Policies

Of course, it’s a combination of these two concepts that comprise a strong adaptive authentication system. Static policies are important to establish a baseline assessment of user and organizational risk, while dynamic policies adjust the authentication requirements based on real-time factors. This combination allows for a more precise and adaptable authentication process.

Benefits of Adaptive Authentication

Efficient User Experience and Robust Protection

The benefits of a well-architected system are numerous. For one, it streamlines the authentication process for trusted users, eliminating unnecessary steps and ensuring a smooth experience while still protecting against unauthorized access. 

By analyzing risk factors and user behavior in real time, adaptive authentication provides an end-to-end security layer that stays updated and adaptive to emerging threats and changes in user activity.

Flexible and Secure Access for Users

Perhaps the best part is that access is flexible and secure. Users can still securely access the resources they need from any location – it’s just that the authentication requirements are adjusted based on risk factors to ensure a higher level of security for sensitive operations or unfamiliar devices.

Furthermore, unlike static multi-factor authentication (MFA), adaptive authentication offers flexibility by dynamically adjusting authentication requirements based on context, striking an optimal balance between security and user convenience.

As we head toward a future where AI and machine learning will dominate our professional lives, adaptive authentication already utilizes machine learning algorithms to analyze user behavior and context, empowering the system to identify patterns, anomalies, and potential threats, and respond accordingly with timely and appropriate security measures. 

Given the rise of generative AI as a cybersecurity risk, it sure is nice to have a system that can keep up! 

Risk-Based Authentication: Synonymous with Adaptive Authentication

It’s worth adding a quick housekeeping note here that risk-based authentication and adaptive authentication are often used interchangeably to describe similar security approaches. Risk-based authentication is a system where the level of authentication required for a user is determined based on the assessed risk level of a specific interaction.

Similarly, adaptive authentication also dynamically adjusts the authentication requirements based on risk factors and contextual information. It considers the same elements, such as user behavior and environmental factors, to tailor the authentication process to the specific context of each user interaction.

In other words, both concepts leverage the same underlying principles of dynamically adjusting authentication requirements based on risk factors and context, and both systems lead to a more efficient and secure authentication process. 

It’s a distinction without a difference.

Conclusion

That was a major information drop, but it’s vitally important for organizations to understand and harness. As a whole, it’s a practical and effective security measure that offers numerous benefits and functionalities. 

By dynamically adjusting authentication requirements based on risk factors, adaptive authentication strikes a balance between user experience and security – the holy grail of cybersecurity. 

 

It reduces friction for trusted users in low-risk scenarios while providing enhanced security measures for high-risk situations, ultimately protecting against evolving threats and unauthorized access.

 

Is your organization ready to take a significant step toward peace of mind? The team at Kelvin Zero is ready to help. Get in touch with us

Thierry Gagnon
Thierry is co-founder and CTO of Kelvin Zero and one of the world's foremost experts on secure information sharing networks. With expertise in the development of automated systems, cyber knowledge bases, malware analysis & reverse engineering, and cyber threat intelligence, we are grateful to have Thierry provide us with his high-level insights into the cybersecurity world through his guides covering authentication, security, and cryptography.