v

The rise of adaptive authentication

Sachin Raaghav

Apr 2010 min read

Book Demo

Table of Content

Read more
  • 5 pain points you can overcome in AD user account management  
    Manual vs. automated identity life cycle management  
    Active Directory clean-up: Should you automate it?  
  • Maintain confidentiality of critical information by implementing the POLP  
    6 essential capabilities of a modern UBA solution  
    How can SSO help in reinforcing password security?  
  • Authentication vs. authorization  
    5 simple steps to HIPAA compliance  
    Smart strategies to provision and de-provision Active Directory  

The rise of adaptive authentication

Organizations have long realized that using usernames and passwords alone to confirm users' identities is tedious and not secure. Today, with threat actors discovering new ways to compromise user accounts, organizations need to stay ahead by establishing a Zero Trust environment to safeguard their networks. However, following through on a planned implementation can be challenging.

"Trust no one and verify everything" is one of the key concepts of Zero Trust architecture. A Zero Trust environment could create friction for users since additional authentication layers, such as multi-factor authentication (MFA), are necessary. To reduce this friction, organizations can implement adaptive authentication, a context-based authentication approach that does not require users to further confirm their identities when it is not necessary.

What is adaptive authentication?

Adaptive authentication, commonly known as risk-based authentication, is a security process of verifying the identity of a user who requires access to their organization’s resources. Adaptive authentication is a type of MFA in which the authentication factors adapt to the user’s risk profile. In other words, adaptive authentication involves selecting the right authentication mechanisms depending on the user’s risk profile and behavior.

Scenario 1: If an employee tries to access resources via their organization’s Wi-Fi, they may only be prompted for their user credentials.

Scenario 2: If an employee tries to access their organization’s resources through a public Wi-Fi connection, they may be prompted to enter their credentials and an OTP sent to their corporate email.

The above scenarios show that the authentication factors change according to the user's Wi-Fi connection. An organization's Wi-Fi network is constantly monitored by IT admins, so its risk factor is low. In contrast, a public Wi-Fi connection is prone to cyberattacks, so its risk factor is high. Additional authentication methods, such as fingerprints and OTPs, are used for higher risk factors.

How does adaptive authentication work?

Adaptive authentication solutions use machine learning to examine how a user interacts with their organization's resources and to build a user risk profile based on the user's behavior and the organization's security policies.

Step 1: Adaptive authentication solutions collect data on a user's situation and behavior. This data is used to create the user's risk profile.

Step 2: Every time the user sends a request for authentication, that request is analyzed and a risk score is generated.

Step 3: Data from multiple requests is collected, and the risk scores are added to the user's risk profile.

Step 4: A baseline is produced based on the overall data from the user's risk profile. This baseline is used as a reference to identify anomalous activities. Activities that deviate from the baseline (normal behavior) are considered to be anomalous.

Step 5: After the baseline has been established, whether the user requires any additional authentication steps to access a resource depends on their risk score.

Ways to deploy adaptive authentication

  • IT administrators can create static policies that define risk levels based on various factors, such as the:
    • User's roles.
    • User's geolocation.
    • Wi-Fi connection.
    • Time of day.
    • User's privileges.
  • Dynamic policies can be created with the help of machine learning. The process of selecting an appropriate authentication method based on the level of risk will be automated.
  • A hybrid model of both static and dynamic policies can be implemented.

Benefits of adaptive authentication

Robust data security

Enabling adaptive authentication helps in risk analysis by reducing the possibility of an unauthorized user gaining access to sensitive data. With AD360's self-service password management, advanced MFA options, and single sign-on solution, admins can mitigate password attacks and provide a better user experience.

Flexibility

Adaptive authentication solutions are flexible when it comes to selecting the appropriate authentication process for the given risk score. For example, wherever necessary, adaptive authentication solutions replace password authentication with biometrics, making the whole process fast and simple. To minimize user disturbances, AD360 allows administrators to apply alternative authentication protocols to different groups of users. Administrators can impose OTPs, tokens, or security questions for one set of users while configuring stricter authentication approaches like fingerprint or Face ID authentication for another set of users.

Fraud prevention

Threat actors execute dictionary and brute-force attacks to compromise user accounts. Adaptive authentication prevents account compromise by choosing another authentication factor such as the user's fingerprint, which is difficult to bypass. For example, an online bank transaction requires multiple layers of authentication, such as PINs and OTPs, that make it challenging for threat actors to breach.

API integrations

An application programming interface (API) is a software intermediary that allows two applications to communicate with each other. Adaptive authentication APIs can be integrated into an organization's applications or devices, providing an additional layer of security.

A better user experience

Adaptive authentication offers a better user experience. For example, it is frustrating for a user to remember a list of verification codes in order to access their cloud application. Instead, an adaptive authentication solution might choose a simpler option like an authenticator app to verify the user's request. The authenticator app generates a code every time the user sends a request. The code expires after a short period, making the whole process secure.

The use of only usernames and passwords for authenticating users makes the entire security system vulnerable to cyberattacks. Furthermore, MFA appears ineffectual in some cases where the risk is significant, necessitating the use of a more rigorous security method. Adaptive authentication solves these problems by providing flexibility, a better user experience, and robust security. By making authentication easier yet more secure, it is the middle ground for both employees and administrators.