What is Adaptive Authentication?

March 20, 2017

Adaptive Authentication: Why Should You Care?


Before going into what adaptive authentication is I want to answer why you should care first. In today’s IT world, relying on a simple username and password authentication is not enough to protect critical business data and systems against the growing number of sophisticated cyber attacks. Just do a quick search online or have a look at one of my previous blogs, "How Much Does It Cost to Protect an Organization from Cybercrime?" to get an idea of how expensive a hack can be and how sophisticated attacks have become. That ever-growing number of compromised enterprises is clearly asking for systems that do not allow access to business applications and data with a simple username and password logon. For a long time now, there have been mechanisms that IT can use to protect against such “simple” break-ins. Multi-factor authentication (MFA) is the name of the game. MFA gives you the ability to protect access to your enterprise information.

With MFA, users must provide at least two “factors” when they access applications, networks and resources. Also, most commonly, one of the two factors is a one time password (OTP) that cannot be used a second time. MFA implementations use a combination of the following factors:

  • 2017-02-27_10-16-58.jpg
    Something you know, such as a username, password, PIN, or the answer to a security question.
  • 2017-02-27_10-19-31.jpg
    Something you have, such as a smartphone, one-time pass token, or smart card.
  • 2017-02-27_10-20-34.jpg
    Something you are, biometrics like your fingerprint, retina scans, or voice recognition.

However, at the same time we all remember (or are still subject to) having used a RSA Secure ID, Symantec VIP or similar token. For this, you have to type in that code, which is displayed only for 30 seconds, and if you do not type in the code displayed fast enough your authentication will fail -- which causes you to have to start all over again. Also, you do not have the token with you when you need it most -- you forgot it in the car, at home, at grandma’s house over Thanksgiving, or, or, or… We all have been there. That begs the question… Does it have to be that difficult? Isn’t there a better way doing this? That’s where adaptive authentication with a sophisticated MFA solution comes in.

What is Adaptive Authentication?

Adaptive authentication is a type of multi-factor authentication can be configured and deployed in a way that the identity service provider (IDP) system will select the right multiple authentication factors depending on a user’s risk profile and behavior. Well, it’s also to adapt the type of authentication to the situation.

There are three ways that adaptive authentication could be configured depending on the IDP’s capabilities:

  1. One can set static policies defining risk levels for different factors, such as user role, resource importance, location, time of day or day of week.
  2. The system can learn the typical activities of users based on their tendencies over time. This learned form of adaptive authentication is similar to behavioral correlation.
  3. A combination of both static and dynamic policies.

And a sophisticated adaptive authentication IDP system should provide more than just the use of OTP tokens like RSA Secure ID, Symantec VIP or similar (so you are not subject to the previously mentioned annoyance with display tokens). It should support MFA through:

  • Email verification
  • SMS / text verification
  • Phone call to predefined numbers
  • Mobile push notification to trusted mobile device
  • Smart Cards
  • Derived Credentials
  • OTP tokens

Regardless of how you would define your corporate risk levels, adaptive authentication should adapt to that risk level and present the appropriate level of authentication for the given level of risk. Unlike standard, one-size-fits-all authentication elevation, it avoids making low-risk activities inappropriately burdensome or high-risk activities too easy to hack.

Adaptive authentication should look at the following…

  • Device Profile: What system is the request coming from? Is this a system I have seen before, is this a corporate issued device?
  • Location Awareness: Where is this request coming from, is this a “risky” IP address range, is this coming from a “risky” country? How did the user get from San Francisco to some other country in one hour? This isn’t the usual location from which this user is logging on.
  • User Behavior: Why is the user accessing those servers / applications / data? He has never done that before.

Adaptive authentication is the recognition that authentication elevation is part of a continuous process of managing access to applications and resources. Meaning, instead of applying risk evaluation and elevation only during the authentication process once, they are continuously evaluated as part of the process while accessing information to determine whether to allow any request for a resource, transaction or interaction or to elevate the authentication and challenge for additional authentication factors at any point in time if suspicious behavior is detected. If suspicious behavior is detected, it should prompt the user then and there to provide an additional factor of authentication.

Identity Automation with adaptive authentication policies is part of a broader multi-factor authentication approach for all your applications and resources. This strategy is the most secure way of managing identities and access to your corporate applications, network and resources, because with adaptive authentication you make low-risk activities easy and high-risk activities protected by OTP MFA. Resulting in a “happier” user force all the while protecting your enterprise.

To learn more visit:

Centrify Risk-based Access Control

Centrify and Yubico 

Centrify Multi-factor Authentication  

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.