What is Adaptive Authentication and Authorization?

Javed Shah

Modern cyber threats require dynamic and evolving security countermeasures, especially regarding authentication.

What is adaptive authentication? It is a dynamic, risk-based approach to authentication that can use real-time information to guard against system breaches.

How Does Adaptive Authentication Work?

An adaptive authentication is an approach to identity verification that relies on risk assessments of users and their activity to determine whether or not to allow access. Furthermore, adaptive authentication enables systems to dynamically assign specific types of authentication to users based on several criteria to increase security based on real-time events.

The goal? To address the ever-evolving challenges to identity fraud and authentication that can threaten sensitive IT systems. In many contexts, authentication is seen as a one-time activity–the user seeks to enter a system or a sub-system, and the security infrastructure requires that users provide credentials to identify themselves.

There are some limitations to this approach. For example, if an employee’s work credentials are stolen due to a phishing attack, then any authentication requirements will prove primarily useless.

Adaptive authentication attempts to solve this problem by addressing some of the limitations of traditional authentication through a specific set of features:

  • Risk Profiles: Adaptive authentication relies on evaluating risk in a system and applying criteria to that risk to determine authentication results. In extremely simplistic authentication schemes, the system may assign different access requests with high, medium, or low-risk profiles based on specific criteria.

Based on these profiles, the authentication system may require different verification forms (biometrics, PINs, etc.) or automatically reject the request.

  • Real-Time Assessments: These risk profiles and evaluations are conducted in real-time. That is, there isn’t a straightforward approach to risk that relies on a prior knowledge of an account or user. Instead, the system can compile information regarding risk categories and apply them to specific user requests as they happen.
  • Automated Decision-Making: To build more sophisticated authentication systems, risk-based systems will use machine learning and AI to monitor user and system activity to apply risk profiles dynamically.

AI can learn from these activities and risk profiles and more effectively and securely apply different authentication requirements to specific requests… if not outright denying them due to risk.

  • Trust: Trust is a significant factor in adaptive authentication… by assuming different levels of risk, an organization can then define who they trust and how they develop that trust. Furthermore, zero-trust security schemes can leverage adaptive authentication to strengthen their underlying security without relying entirely on standard authentication.

To summarize, adaptive authentication is a more sophisticated and nuanced approach to identity verification that addresses some of the limitations of traditional and multi-factor authentication.

What Are Some Risk Factors Used in Adaptive Authentication?

Adaptive authentication can use several approaches to monitoring and identifying risk in an authentication system. These approaches provide sufficient information to provide any risk-scanning or AI systems to decide how, or even if, to allow users to authenticate themselves.

Some of these factors include:

  • Location: If a user attempts to access system resources from a specific city, state, or country, then risk-based authentication can take steps to require additional identification factors to mitigate fraud. Once the user is verified, the system can include their location information in a directory of accepted locations for authentication.
  • Behaviors: Dynamic systems can monitor user behaviors, including purchases made, files or resources accessed, or login attempts to influence risk profiles. If a user’s account behaves in ways that align with fraudulent activities, the system can automatically require additional authentication or outright reject the user’s access.
  • Attributes: Attributes are more static than dynamic and require administrators to set policies around account information. These attributes can include roles, permissions, or devices used to attempt access.
  • Risk: The authentication system can combine the above-listed criteria with the sensitivity of the resource being accessed to determine specific risk attributes used to specify authentication requirements.

What Are Some Examples of Adaptive Authentication?

Based on applying these risk factors (and upon deciding regarding risk and authentication), an adaptive authentication system can apply different factors or authentication not only to a specific user, but to a user based on the actual request being made.

  • Low Risk: If a user has previously authenticated with the system, it may consider their following verifications low risk. For example, suppose the user has verified and authenticated a device like a work laptop, and they attempt to access system resources using that laptop. In that case, the system may only require a PIN or password.
  • Medium Risk: Suppose the system determines that the user request poses a moderate risk. In that case, however, the authentication system may require some factor of MFA in the form of a biometric scan or a one-time password over SMS.
  • High Risk: The system picks up on a user account, raising red flags–this could mean a combination of repeated bad authentication attempts, changes to core account information, or account access from a non-standard IP address or geographic location.

At this point, the system might read these activities as signs of fraud and deny further authentication from that account. Follow-up action might include direct contact with the user, a reset of login credentials, and verification of MFA.

In any of these cases, the utility of adaptive authentication is in assessing these factors and providing appropriate security measures.

What Are the Benefits of Adaptive Authentication?

Any evolution in security technology will come with some benefits, and adaptive authentication is no different. Specifically, adaptive authentication provides a level of flexibility and adaptability that can only be achieved through intelligent, risk-based security systems.

Some of the key benefits of adaptive authentication include

  • Frictionless Authentication: Adaptive authentication can provide organizations with a way to streamline identity verification for trusted users and devices. While this approach might throw up more challenges for non-standard or unrecognized devices or user variables, it also allows for streamlined authentication for trusted users.
  • Sophisticated Risk Management: With a smart risk assessment system (and even some AI capabilities), adaptive authentication provides a more sophisticated approach to resource access versus static policies and complex, role-based schemes.
  • Up-to-Date Security Policies: Adaptive authentication can better adjust to a shifting security landscape. Instead of building new security policies and access schemes, this approach can better adjust to new vulnerabilities or attacks based on behavioral criteria.
  • Easy Bring-Your-Own-Device (BYOD): Smart adaptive systems can adjust to different devices, applying new and evolving policies around mobile, desktop, and IoT devices seeking access to network resources. Following that, the system can apply different levels of security to each to ensure secure access.

1Kosmos and Passwordless Security for Strong Authentication

To bolster a comprehensive authentication scheme that relies on adaptive authentication, you need a foundation of features that you can deploy based on assessed security risks. Strong MFA, biometrics, passwordless security, and decentralized identity management allow an adaptive system to utilize different levels of risk-based authentication security. And, 1Kosmos BlockID brings all of these to the table.

With 1Kosmos BlockID, you get the following features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Learn more about 1Kosmos Authenticators and how they can support adaptive authentication deployments.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.