What is adaptive multi-factor authentication?

• IAM Glossary
• What is adaptive multi-factor authentication?

Adaptive Multi-Factor Authentication (Adaptive MFA) is a security method that evaluates contextual factors before prompting the user to verify their identity with additional authentication. Unlike standard MFA, adaptive MFA only challenges users when contextual indicators, such as device type, location or behavior, deviate from their normal patterns. Adaptive MFA helps protect online accounts while simplifying the login process for trusted users.

How adaptive MFA works

Adaptive MFA analyzes real-time security risks using contextual data to determine whether a login attempt is legitimate and which authentication requirements to apply. When a user attempts to log in, the system evaluates data points like the user’s IP address, geographic location and time of access against their usual behavior. Based on the results, the system assigns a risk score to the login attempt. Here are the types of risk scores:

• Low risk: If the login attempt matches the user’s typical behavior, they may only need to enter their username and password to gain access.
• Medium risk: If the user logs in from a new device or at an unusual time, they may be prompted to verify their identity with an additional step, like a One-Time Password (OTP).
• High risk: If the system detects multiple anomalies, like a login from an unfamiliar location or a suspicious IP address, the user may need to use stronger authentication methods, such as biometrics, or access will be denied.

For example, if a user usually logs in from a laptop in New York during business hours, a login attempt from a mobile device in Australia at 3:00 AM would be considered high risk. The system might require both an OTP and biometric authentication, and access would be blocked if the user cannot meet the requirements.

MFA vs adaptive MFA

Traditional Multi-Factor Authentication (MFA) requires users to verify their identity by using two or more authentication methods. Typically, MFA requires something the user knows (like a password), something they have (like an OTP) or something they are (like a fingerprint). MFA applies the same set of predetermined authentication steps to all users, regardless of their risk level or contextual data.

Adaptive Multi-Factor Authentication extends this by using contextual risk assessments to determine the necessary level of authentication. Low-risk users experience fewer prompts, improving usability, while high-risk attempts trigger stronger security measures.

Benefits of adaptive MFA

Adaptive MFA offers several advantages to organizations, especially compared to traditional MFA, by focusing on context. Here are the ways adaptive MFA enhances security while reducing friction for trusted users.

Improved security

Traditional MFA works in tandem with static credentials like passwords and PINs, which are more vulnerable to phishing attacks and credential theft. With adaptive MFA, login attempts are evaluated in real time to identify suspicious activity and apply stronger authentication steps when necessary. If a login attempt is too unusual and the user doesn’t provide the required authentication, access will be blocked entirely, protecting sensitive data from unauthorized users.

Better user experience

When a user is identified as low risk by logging in from a familiar location or device, they will face fewer MFA prompts. This expedited login experience allows trusted users to access their accounts more quickly without having to verify their identity unnecessarily. By requiring stronger authentication only when necessary, adaptive MFA provides a less frustrating login experience without jeopardizing security.

Reduced operational costs

With fewer unnecessary authentication prompts, users are less likely to forget their credentials, resulting in fewer IT help desk tickets. Adaptive MFA helps organizations save time and money by minimizing password reset requests and reducing the number of account lockouts due to strong authentication processes.

How to implement adaptive MFA

Here are the main steps to successfully implement adaptive MFA in your organization:

1. Evaluate business needs: Determine where adaptive MFA is needed most based on your organization’s security requirements, user roles and access levels. Prioritize systems that handle sensitive data, have privileged accounts or are more likely to be targeted with cyber attacks.
2. Choose a provider: Select a trusted adaptive MFA provider that suits your infrastructure and security requirements. Some popular choices include Microsoft Entra ID and Duo Security.
3. Define contextual risk policies: Set clear rules to categorize login attempts as low, medium or high risk. Identify which contextual factors (IP address, device, behavior, etc.) should trigger further authentication requirements.
4. Integrate with existing systems: Ensure whichever solution you choose is compatible with your current IT environment, including Single Sign-On (SSO) platforms, Identity Providers (IdPs) and Virtual Private Networks (VPNs).
5. Run a pilot: Test your adaptive MFA setup with a small group of users before deploying it to the rest of your organization. Observe how the risk scoring system works and validate that the appropriate authentication steps are applied based on context.
6. Educate users: Explain why adaptive MFA is being implemented and its benefits to all employees. It’s important to prepare users for any changes that may occur during their login experience to avoid unnecessary frustration or disruptions.
7. Monitor and optimize: Regularly review audit logs to see if policies need to be updated based on user behavior. Use data to adjust triggers and improve the accuracy of risk levels.