What is Adaptive Authentication?

Adaptive​‍​‌‍​‍‌​‍​‌‍​‍‌ authentication is a new development in the field of security gates that changes (increases or decreases) the level of security verification depending on the risk profile of the login attempt. Besides, it is not like ordinary Multi-Factor Authentication (MFA) that requires the same set of credentials every time.

Adaptive​‍​‌‍​‍‌​‍​‌‍​‍‌ authentication is a new development in the field of security gates that changes (increases or decreases) the level of security verification depending on the risk profile of the login attempt. Besides, it is not like ordinary Multi-Factor Authentication (MFA) that requires the same set of credentials every time.

The very essence of this system is the persistent risk evaluation mechanism. When a user is trying to access a resource, the system considers various “signals” or indicators. If the indications correspond to the normal behavior, the user can be given “passwordless” access. If the system identifies atypical activity, for example, a login from a different country, Step-Up Authentication may be requested.

Important elements of dynamic identity verification:

•   Evaluarea riscului: Gives each access request a numerical value (determined by the security policies in place).
•   Step-Up Challenges: Brings out biometrics or hardware tokens only when there is a rise in risk levels.
•   Monitorizare continuă: It involves session observation, including activity after login, which may detect session hijacking attempts.
•   Policy Engine: Enables custom norms setting based on application sensitivity by the administrators.

1.   Location Data: Is the network connection from a corporate office, a home IP address, or a location indicating unusual travel?
2.   Device Health: Is the device company-managed, does it have up-to-date antivirus software, or is it a “jailbroken” phone?
3.   Behavioral Biometrics: Does the typing speed, mouse movement, or navigation pattern correspond to the user’s historical data?
4.   Resource Sensitivity: Consider whether the user is accessing publicly available information, such as a lunch menu, or sensitive data, such as a financial database containing Social Security numbers.

Adaptive security may be suitable for environments where human and technical flexibilities are common.

•   Remote Work: The VPN access from coffee shops will be checked thoroughly, while those working in the office will be subjected to less scrutiny.
•   High-Risk Operations: Using biometric verification, only the users attempting to send large amounts of money or change the admin settings get prompted.
•   Cloud Applications: Protect external SaaS that are not under the corporate firewall traditionally.

Implementing​‍​‌‍​‍‌​‍​‌‍​‍‌ an adaptive model can’t happen overnight if you want to be sure that security policies won’t accidentally prevent productive users from accessing the system.

•   Classify your data and programs (according to how sensitive they are).
•   Let users be in “discovery mode,” where you can monitor their behavior for some time.
•   Set up risk policies: “if-then” leads the way (if the IP is new, then require a YubiKey).
•   Notify users about a reduction in prompts, but also manage expectations that prompts will still appear during travel or during initial device setup.

The option to upgrade your identity stack depends on your current risk exposure and whether your users are complaining that the current security is too restrictive.

The main reasons to decide:

•   Type of Users: Large, distributed teams may observe a correlation between reduced friction and their experiences.
•   Importance/Value of Data: Pivotal targets for attackers (such as Finance or Healthcare) require a combination of adaptive authentication and more trigger points.
•   Funds: Make sure that a modern Gestionarea identității și a accesului (IAM) solution can be afforded.