What is adaptive authentication?
Andy Zindel
Adaptive authentication is a multi-factor authentication method that can be configured based on factors such as location, user risk profile, device status, and user behavior. This enables an identity provider (IDP) to dynamically adjust the authentication requirements based on these factors during user login.
There are three ways that adaptive authentication could be configured depending on the IDP’s capabilities:
- One can set static policies defining risk levels for different factors, such as user role, resource importance, location, time of day, or day of the week.
- The system can learn the typical activities of users based on their tendencies over time. This learned form of adaptive authentication is similar to behavioral correlation.
- A combination of both static and dynamic policies.
A sophisticated adaptive authentication IDP system should provide more than just the use of OTP tokens like RSA Secure ID, Symantec VIP, or similar (so you are not subject to the previously mentioned annoyance with display tokens). It should support MFA through:
- Email verification
- SMS / text verification
- A phone call to predefined numbers
- Mobile push notification to trusted mobile device
- Smart Cards
- Derived Credentials
- OTP tokens
Regardless of how you would define your corporate risk levels, adaptive authentication should adapt to that risk level and present the appropriate level of authentication for the given level of risk. Unlike standard, one-size-fits-all authentication elevation, it avoids making low-risk activities inappropriately burdensome or high-risk activities too easy to hack.
Not all MFA solutions are created equal
Adaptive authentication should look at the following:
- Device profile: What system is the request coming from? Is this a system I have seen before, is this a corporate-issued device?
- Location awareness: Where is this request coming from, is this a “risky” IP address range, is this coming from a “risky” country? How did the user get from San Francisco to some other country in one hour? This isn’t the usual location from which this user is logging on.
- User behavior: Why is the user accessing those servers/applications/data? He has never done that before.
Adaptive authentication is the recognition that authentication elevation is part of a continuous process of managing access to applications and resources. Meaning, instead of applying risk evaluation and elevation only during the authentication process once, they are continuously evaluated as part of the process while accessing information to determine whether to allow any request for a resource, transaction, or interaction or to elevate the authentication and challenge for additional authentication factors at any point in time if suspicious behavior is detected. If suspicious behavior is detected, it should prompt the user then and there to provide an additional factor of authentication.
Identity automation with adaptive authentication policies is part of a broader multi-factor authentication approach for all your applications and resources. This strategy is the most secure way of managing identities and access to your corporate applications, network, and resources because with adaptive authentication you make low-risk activities easy and high-risk activities protected by OTP MFA. Resulting in a “happier” user force, all the while protecting your enterprise.
Why should you care about adaptive authentication?
In today’s IT world, relying on a simple username and password authentication is not enough to protect critical business data and systems against the growing number of sophisticated cyber attacks.
Just do a quick search online to get an idea of how expensive a hack can be and how sophisticated attacks have become. That ever-growing number of compromised enterprises is clearly asking for systems that do not allow access to business applications and data with a simple username and password login.
For a long time now, there have been mechanisms that IT can use to protect against such “simple” break-ins. Multi-Factor Authentication (MFA) is the name of the game. MFA gives you the ability to protect access to your enterprise information.
With MFA, users must provide at least two “factors” when they access applications, networks, and resources. Also, most commonly, one of the two factors is a one-time password (OTP) that cannot be used a second time. MFA implementations use a combination of the following factors:
Something you know, such as a username, password, PIN, or the answer to a security question.
Something you have, such as a smartphone, one-time pass token, or smart card.
Something you are, biometrics like your fingerprint, retina scans, or voice recognition.
However, at the same time, we all remember (or are still subject to) having used an RSA Secure ID, Symantec VIP, or similar token. For this, you have to type in that code, which is displayed only for 30 seconds, and if you do not type in the code displayed fast enough, your authentication will fail—which causes you to have to start all over again.
Also, you may not have the token with you when you need it most—which begs the question: Isn’t there a better way to do this? And that’s where adaptive authentication with a sophisticated MFA solution comes in.