Table of Content
- Understanding the crux of adaptive authentication
- Why do you need adaptive authentication?
- How does adaptive authentication work?
Cliche alert—change is the only constant; on that note, threats can keep changing or evolving, and you should be prepared to mitigate them no matter what.
We know that the predefined conditions required by usual authentication methods can become outdated. For instance, legacy authentication —which requires just a username and password to verify access requests, as used by protocols such as POP3 and NTLM—was once the big thing, but unfortunately, it's not only outdated, but you should also be blocking devices using it to access your organization's resources.
While there are modern authentication measures like MFA that are based on predefined policies like conditional access policies, it's trivial to have measures that adapt to risks as they are identified. Here's where adaptive authentication, or risk-based authentication , comes in, enabling you to secure resources while keeping potential risks and threats at bay .
It's important to note that adaptive authentication leverages the Zero Trust approach, and getting access to even your own resources might be a tough nut to crack. It can feel like you're biting the bullet, but you're actually dodging many bullets—known and unknown threats and attacks, not to mention even harmless forms of unauthorized access.
Understanding the crux of adaptive authentication
Adaptive authentication closely examines the risk levels of factors of an access request upon login and decides how it must be authenticated. These factors include:
- Location: Where has the request come from? If the request has been made from an unfamiliar area, the system can label it as suspicious or high risk. It may require an additional authentication factor or even block access.
- Device: How secure or vulnerable is the device used for the request or login? Is the device registered? If the device is vulnerable, access can be blocked, and logging in from an unknown device can trigger additional prompts for authorization.
- User behavior: The system monitors and examines patterns and/or routines with respect to a user's activities, including login and logout times and sequences related to their functions. Deviations from normal behavior can be a sign of potential security threats.
- Network: The network being used for the login attempt is also taken note of, if not monitored continuously. With Zero Trust, every component involved in logins and access requests is monitored. If you log in through your organization's Wi-Fi, you will have one or more authentication steps to get your login verified. But if you're doing so through your personal network, adaptive authentication can require verification through MFA, context-aware MFA, or biometrics.
Why do you need adaptive authentication?
Protecting from unauthorized access and enhancing security are the primary reasons for using different authentication methods. Another reason is preventing risks no one was prepared for, which is why it's also called risk-based authentication and follows the Zero Trust approach.
Let's step back a bit and think. What is the whole point of adaptive authentication, or methods like MFA, per se? To establish a Zero Trust environment. However, there are other reasons you'll want to implement adaptive authentication:
- Compliance: Regulatory compliance mandates organizations to enforce strong security measures, keeping in mind the need to avoid any threats and attacks. For instance, risk-based authentication supports the GDPR's principles of data protection by design and default, as mentioned in Article 25. It allows organizations to implement risk-based security measures according to assessed risk levels.Similarly, it also supports compliance with other regulations such as HIPAA, SOX, and the PCI DSS in terms of implementing risk-based measures to secure data.
- User experience: Adaptive authentication offers flexible options based on user preferences and risk levels, making it convenient to log in and access systems while also securing them. It's quite a win-win for remote work scenarios, since secure access to corporate resources is provided from various locations without compromising the user experience. Here, you do not have to feel guilty about the convenience since you can have the grass greener on both sides: strengthened security and a good user experience.
- Scalability and future-proofing: As we know, adaptive authentication works by adapting to risks to verify logins and requests, making it a dynamic framework. Speaking of adapting to risks, real-time risk assessments aid in deciding how logins should be authenticated. With continuous monitoring in place, adaptive authentication systems can scale to handle increasing volumes of authentication requests. Not to mention, they do so without compromising on efficiency and performance.
How does adaptive authentication work?
We know adaptive authentication examines the risk levels of a login attempt to decide whether it must be approved and to identify what and how many levels of authentication factors will be required. Doing all of that, of course, takes a few or more steps, and they are:
1) A user attempts to log in
When a user attempts to access a system or application, the authentication process begins.
2) Risk-based authentication gathers contextual information
Risk-based authentication collects various contextual factors about the login attempt, such as:
- The user's device type and characteristics
- The IP address and geolocation
- The time of access
- Network information
- User behavior patterns
3) Now, the risk assessment is done
The adaptive authentication engine analyzes the collected contextual information to assess the risk level of the login attempt. It compares the current login data with the user's typical behavior, such as when they usually log in and log out, and their patterns with respect to their daily functions or tasks.
4) Then, risk scoring begins
Based on the analysis, the system assigns a risk score to the login attempt.
But wait, what is a risk score? It's a number that tells you how malicious or suspicious a login attempt is. It reflects the probability of the attempt being legitimate or potentially breach-worthy.
5) Risk-based authentication decides how to authenticate
Using the risk score, the system determines the appropriate level of authentication required:
- Low-risk scenarios may only require a simple password.
- Medium-risk situations might prompt for additional factors, like a one-time password.
- High-risk attempts could trigger MFA or even block access.
6) The user is finally authenticated
Now that the authentication method has been decided, the user is prompted to authenticate themselves; this can range from entering one password or passcode to multiple MFA authenticators. That's an exaggeration, but authentication could include MFA and an additional layer of verification, if necessary.
7) Risk-based authentication doesn't stop there—time for continuous monitoring
The user's activities during and after the login are continuously monitored to detect any threats or suspicious activities. By doing so, you can avoid and mitigate security incidents as you detect them.