Authentication security remains a significant vulnerability in most organizations' security posture. Even individuals without technical expertise can easily acquire and employ pre-made hacking tools. Microsoft, for instance, fends off an astonishing 1,000 authentication attacks a second. Furthermore, the dark web is flooded with over 24 billion username and password pairs available for purchase, perpetuating the constant onslaught of these malicious activities.
Security systems have incorporated measures like multi-factor authentication (MFA) to deter attackers. However, several MFA methods, including push notifications and one-time passwords (OTPs), are easy to circumvent. Adaptive authentication is a promising advancement to enhance authentication protocols, leveraging diverse parameters to conduct a risk-based evaluation of authentication requirements.
In this blog, we’ll delve into adaptive authentication, exploring how it is deployed and how it can enhance your authentication security.
Adaptive authentication, also knowns as risk-based authentication, is an intelligent system that dynamically determines when to step up authentication and request additional factors to prove identity. The system makes risk-based assessments for determining what level of authentication must be provided, moving towards continuous assessment rather than a user simply authenticating at the start of their session.
A common example of adaptive authentication is banking applications, where users can freely view their account balance. However, the authentication process may require additional factors if they want to initiate a transfer. Likewise, within an enterprise setting, risk-based assessments can determine what data or apps a user can access with the authentication factors they’ve provided. It is also apparent on a smart device, where a low-risk request, such as checking the time or seeing the subject of an email, can be done without entering a password or using a biometric identifier.
Adaptive authentication serves two primary objectives. Firstly, it aims to enhance authentication security by eliminating the “break once, run everywhere” scenario, where an attacker gains continuous account access by overcoming a single authentication challenge. Secondly, it strives to strike a balance between security and user experience. Since the strength of authentication is often associated with its duration or complexity, adaptive authentication allows low-risk requests to be granted swiftly without burdening users with excessive time-consuming processes.
The driving force of adaptive authentication is risk assessment, with the authentication requirements increasing linearly as the risk to the user or organization increases. The following “rules” govern how adaptive authentication is deployed in real-life applications.
This ruleset has a clear relationship between actions, risks, and authentication requirements. This means, for example, that every time a user seeks to submit changes within an internal app, they must pass an authentication challenge. Standard rule policies cover role-based access, the importance of the data or application, or the action they are looking to take. In these cases, a defined rule will correspond to a defined authentication protocol.
These are where the users’ actions and behavior will set the baseline for system access, and any deviations from that norm trigger authentication challenges. For example, if you log on every day from Southern California but now it says you’re in Brazil, this would cause the system to ask for further identity verification. Similarly, if your account normally interacts with product development but now it’s seeking access to the sales team’s client list, it would be flagged.
Some adaptive authentication technologies incorporate even more sophisticated dynamic risk signals such as device status, user behavior anomalies and risk data from SIEM tools or other corporate security systems.
This sees the adaptive authentication process use both dynamic and static rules. This might look like increasing authentication requirements for certain apps but lowering them if a user logs on with their recognized device on a company VPN rather than an unknown device on a public network. However, as machine learning improves in capabilities mixing static with AI-driven authentication policies could become very common.
The stepped-up authentication requests that the system makes can be the same as those of your MFA system, which could include:
Depending on the risk level of the user’s request, a system can also require different factors than what they logged in with to improve security. As mentioned, contextual indicators, such as IP, device MAC address, or geolocation, can also play a role in deciding the risk level of the request.
Unfortunately, many MFA methods aren’t all that secure so adding in an additional layer may not sufficiently secure against the increased risk level. Ideally, your baseline authentication would already use phishing-resistant mfa, with the step-up requirements either being a re-authentication request or another highly secure factor.
Implementing adaptive authentication provides several key advantages for organizations, including enhanced security and bottom-line savings.
Adaptive authentication protocols should improve the detection of account takeover attacks or at least compartmentalize how far they can spread. Requiring several more layers of authentication factors as the privilege level escalates makes it unlikely that anything bar highly targeted attacks could succeed. In addition, building a behavioral anomaly identifier into the system for dynamic rulesets can identify unauthorized intrusions as they occur.
If an authentication system is too demanding, users will get frustrated and try to take shortcuts, such as sharing authentication factors, to save time. If it is a customer, they may abandon their transaction and take their business elsewhere. An advantage of adaptive authentication is that it seeks to find the best for both, with low-risk requests treated with a lighter touch. This way, users understand there’s a reason for heavier security for higher-risk requests.
Not only do demanding, heavy-handed authentication systems frustrate users, but they also take up a lot of their time, both in the actual authentication process and during resets if factors are forgotten, lost or not accessible. Adaptive authentication reduces friction, improves productivity and lowers help desk calls by providing the right level of authentication security.
Adaptive authentication uses risk-based analysis to determine the level of authentication required. It also performs ongoing authentication if the risk level of user actions increases.
HYPR’s innovative adaptive authentication solution, HYPR Adapt, leverages a powerful risk engine that continuously assesses real-time threats, adapts security policies accordingly, and empowers organizations to deliver a personalized authentication experience without compromising security.
HYPR Adapt’s risk-based authentication works in conjunction with HYPR’s industry-leading easy-to-use, FIDO-based passwordless MFA solution. HYPR Adapt dynamically adjusts security policies based on real-time risk assessments. Each user's workflows are tailored to their unique context, effectively mitigating risks. With the ability to proactively adapt to the dynamic threat landscape, organizations can secure their assets and data while minimizing user friction.
To learn more about adaptive authentication with HYPR Adapt, download the product brief or contact an authentication security expert to schedule a free demo.