Adaptive authentication (also known as Risk-based Authentication) intelligently identifies malicious attempts based on the defined risk factors and prompts the consumers to complete an additional step to verify their identity.
Adaptive authentication allows users to login using a username and password without presenting any additional authentication barrier while providing a security layer whenever a malicious attempt is made to access the system.
Depending on your business requirements, whenever an adaptive authentication request is deemed to be a malicious attempt based on the risk factors defined for your application, it can trigger one or more of the following:
Email Notification: An email is sent to the user about the authentication request. If the user did not request the authentication or it seems malicious, they can report it to their company to take necessary action.
SMS Notification: An SMS is sent to the user about the authentication request. This gives an advantage because the user tends to check messages more frequently than email and may not have access to email all the time. If the user did not request the authentication or it seems malicious, they can report it to their company to take necessary action.
Blocking User Access: The user’s account is blocked for further login attempts once certain risk criteria has been met. The user needs to contact the company to unblock the account.
Security Questions: This forces the user to answer one or more security questions before authenticating the request.
Push Authentication: User authentication is granted by delivering a push notification to a secure application on a user’s device.
FIDO U2F Tokens: FIDO U2F tokens allow users to utilize a single device to access any website or online service that supports the FIDO U2F protocol.
Facial Recognition: User authentication is granted by the analysis of a user’s face. During the enrollment process, the software takes mathematical data from the users facial features and stores that information in its system, so everytime the user authenticates with facial recognition, the system can identify the person is who they say they are.
Adaptive Authentication analyzes the user interaction with your application and intelligently builds a risk profile based on the consumer behavior or your organization’s security policy. The system creates a user. You can define the risk factors in one of the following ways:
Pre-defined Factors
You can define one or more risk factors based on your business requirements.
User Role: Employees with higher access scope user roles in the system can perform sensitive actions; such as asking them to perform additional steps to complete the authentication. Employees with limited access scope user roles are deemed to be a lower security risk and can log in with usernames and passwords for a seamless user experience.
Performative Sensitive Actions: If employees are trying to perform sensitive actions like edit or delete actions on the sensitive information, they can be asked to verify the identity with additional steps.
Location: Employees are trying to login into a system using a public network instead of the office network.
Device: If employees use their personal laptop instead of using a company-issued laptop.
Dynamic Factors
Most systems build a risk profile based on a consumer’s recent interaction with your applications. The system generally leverages machine learning to create this profile on the fly. Here are the common risk factors:
Country: The system can trigger actions and notifications if the consumer is logged in from a different country. e.g., If the consumers travel outside of their country of residence and try to access the system, some financial instructions like credit card companies block the access for the consumers to the system. These companies require you to inform the companies before leaving the country to whitelist the country for your account in the system.
City: If the consumer has logged in from a different city than he usually logs in from, it will trigger Adaptive Authentication. Once the consumer completes the Adaptive Authentication for the new city, the city can be added to the system for future logins without the Adaptive Authentication.
Device: If the consumer tries to login in from a new device, the request will be flagged as malicious under the Adaptive Authentication. Once the consumer completes the Adaptive Authentication for the new device, the city can be added to the system for future logins without Adaptive Authentication.
Browser: If the consumer was logging in from the Chrome browser and suddenly tries to log in from the Firefox browser, the authentication attempt will be deemed malicious and trigger the Adaptive Authentication. Once the consumer completes the Adaptive Authentication step, it will whitelist the browser for future authentication attempts for the consumer account.
Combination of Factors
You can combine the Pre-defined factors and Dynamic factors to trigger the Adaptive Authentication.
There are several methods to implementing Adaptive Authentication. The first authentication method, which would authenticate the user continuously, has to identify if there is a derivative in the user login credentials or behaviours. A derivative could be an incorrect password or different location, device, or behaviour that’s unusual for the user in question.
Today, location is usually determined by either an IP address or GPS. Location behaviour however, is usually based on a combination of WIFI, cellular and GPS signals being used to identify location behaviour patterns with a high degree of accuracy in both outdoor and indoor. If the user’s location does not match other previously identified locations when trying to login, then step-up authentication, such as an authenticator app or facial recognition would be required to login. The common difference between the location technology methods are the level of precision and accuracy and also resistance to spoofing. IP addresses and GPS can easily be faked or spoofed, as we’ve seen increasing amounts of spoofing, while a more sophisticated location behaviour technology cannot be spoofed.
Another method to deploy Adaptive Authentication is when a new device is detected at login. This could either be the user actually trying to login or a fraudster trying to access the user’s account with stolen credentials. In this case, step-up MFA could utilize a recognition signal, such as location behaviour to assess the risk associated with the login. Consider this, if the user is using another device and also in a completely different location that does not match the user’s usual location behaviour pattern, then this can be flagged as high risk. In this case, a second authentication method could be triggered, such as a mobile push notification or requesting the use of an authentication app or anything that can verify the previously used device as a token of the user’s possession.
These are only two among many possible examples of combinations of authentication methods to deliver adaptive authentication using both multi-factor and step-up authentication.
When it comes to Adaptive Authentication, there are several benefits for companies and users. Adaptive, also known as risk-based authentication, prevents low-risk activities from being a burden and prevents high-risk activities from being easy to hack. Context-based authentication analyses user behavior to configure appropriate security levels.
Here’s how adaptive authentication benefits organizations:
Risk-Based Authentication is a synonym for Adaptive Authentication.
Multi-Factor Authentication vs Adaptive Authentication
Adaptive Authentication enables you to apply different flexible strategies to different authentication scenarios based on a defined set of criteria. In contrast, standard MFA is static, meaning that Multi-Factor Authentication cannot be adapted depending on the circumstances.
MFA is a short process. It has a distinct beginning and end. Whereas, Adaptive Authentication is an ongoing process. It starts long before any user attempts to log in and does not end after the user gains access to an account.
Adaptive Authentication vs Machine Learning
It’s common for most risk-based authentication to use machine learning. The tools algorithms monitor and learn user behaviour over time to build an accurate profile of a given user’s login patterns. The machines may track devices, typical user login times, or usual work locations. They check IP address and network reputations, in addition to threat data for those networks.
Adaptive authentication assigns a risk score based on behaviour and context. They respond to the perceived risk based on the rules established by IT. These rules may vary by risk score, user role, location, device, etc. Artificial intelligence (AI) is used for advanced authentication and is evolving to monitor in real time, as well as identifying anomalies in the user’s authentication patterns or even threats in the authentication path.
More advanced adaptive authentication methods automatically adjust the authentication requirements based on the risk score and IT policies. This might require few or no additional challenges for users who have a low risk score. For a user with a high risk score , there might be multiple challenges such as one-time passwords and a phone call. Even more advanced solutions may even restrict or deny the user access based on the risk score based on pre configured IT policies.
Adaptive authentication is a type of multi-factor authentication that can be configured and deployed in a way that the identity service provider (IDP) system will select the right multiple authentication factors depending on a user’s risk profile and behavior.