Adaptive Multi-Factor Authentication is a method for using contextual information and business rules to determine which authentication factors to apply to a particular user in a particular situation. Businesses use Adaptive Authentication to balance security requirements with the user experience. Adaptive Authentication is often used in conjunction with Multi-Factor Authentication (MFA) and Single Sign-On solutions.
Adaptive Authentication solutions can step up/step down authentication methods based on a wide variety of contextual factors including:
- Consecutive login failures
- User account
- Geo-location (physical location)
- Geo-velocity (physical distance between consecutive login attempts)
- Attempted action
- Entity type (device type)
- 3rd-party threat intelligence data
- Day of week
- Time of day
- Operating system
- Source IP address
- User role
Adaptive Multi-Factor Authentication for Remote Workers
By way of example, consider an information worker who remotely accesses business applications hosted in an enterprise data center. Sometimes the employee works from home using a trusted computer and broadband connection. Other times the employee accesses the enterprise network while traveling using a laptop and a public WiFi connection. With Adaptive Multi-Factor Authentication, the corporate security organization can apply one set of controls when the employee is working from home and a different set of controls when the employee is traveling.
The first time the employee signs on from home, they are required to enter a username and password, as well as a one-time, short-lived SMS code sent to their mobile phone. Once the user provides the proper credentials and SMS code, trust is established. In the future, the employee can sign in from home (from the same IP address) using only their username and password.
When traveling (and accessing the enterprise network from an untrusted IP address), the employee is always required to provide two forms of identification—a username/password combination and an SMS code. In this example, the employee enjoys convenient access when working from home, with the added protection of Multi-Factor Authentication when working from the road.
Adaptive Multi-Factor Authentication for On-the-Go Users
Most Adaptive Authentication solutions support fine-grained policies to satisfy diverse business requirements. Consider a healthcare industry application as another example. In this scenario, doctors and nurses use shared hospital room computers to access electronic patient records and other healthcare systems. At the beginning of a shift, each clinician is required to enter a username/password combination and tap a proximity badge to access their healthcare applications. For the remainder of the shift, the clinician can log on using only the proximity badge.
This example also balances security and convenience. After initially signing on, Clinicians enjoy fast, one-tap access to in-room computers throughout the working day. If a clinician’s badge is lost or stolen, the hospital’s exposure is limited. (Single-factor authentication times out at the end of the shift, rendering the stolen badge useless.) To limit exposure even further, clinicians could be required to re-enter their credentials at regular intervals throughout the day, say every four hours.
Adaptive Multi-Factor Authentication for Role-Based Factors
Adaptive Authentication can also be used to apply different authentication factors based on role. Consider a point-of-sale terminal in a retail setting. A sales associate can log on to the terminal at the beginning of a shift using only a username and password. But an IT administrator logging on to the system to perform a software upgrade is required to provide a second form of evidence as an additional precaution.
User Behavioral Analytics
Leading Adaptive Authentication solutions use artificial intelligence (AI) and machine learning (ML) to analyze trends, identify suspicious activity, and automatically step-up/step-down authentication. AI-powered Adaptive Multi-Factor Authentication solutions monitor user activity over time to identify patterns, establish baseline user profiles, and detect anomalous behavior (login attempts at unusual hours, login attempts from unusual locations, login attempts from unknown devices, etc.). They assign risk scores to suspicious events and adjust authentication factors in real-time based on administratively defined policies. (For example, if the behavior is deemed low-risk, the user is allowed to sign on with just a username and password. If the behavior is deemed medium-risk, the user must also enter an SMS code. If the behavior is deemed high-risk, the user is denied access altogether.