Adaptive authentication offers ‘frictionless’ alternative to MFA

Can adaptive authentication offer security without the irritation?
article cover


· 5 min read

A growing number of organizations are testing cutting-edge, adaptive forms of authentication that recognize patterns in keystrokes, typing patterns, mouse movements, or even gait (if you’re wearing a smart watch).

While the extra authentication factors are intended to help organizations like enterprises, banks, and hospitals guard their most valuable assets and avoid the user irritation sometimes associated with multi-factor authentication requests, the adaptive technology is still in an early phase of adoption and deployers will have to prepare employees for the systems’ potentially surprising grasp of their behaviors.

What’s the score?

Risk-based authentication” verifies a user by scoring one’s reliability, often based on factors like IP address, geo-location, and time of day.

Calculating the risk score, however, was traditionally a simple task involving one basic question, according to Johannes Ullrich, dean of research at the SANS Technology Institute: “Is the user connecting from a new device?” The cutting-edge aspect of adaptive authentication lies in its ability to assess risk by asking much more than that, said Ullrich.

“That’s really sort of where the cutting-edge part comes in,” Ullrich told IT Brew. “How granular are you? And how are you sort of doing that behavior analysis and such to figure out: Is this a high-risk transaction or not?”

Adaptive authentication products build a baseline of normal behaviors from a legitimate user’s patterns and then notice anomalies. An unusual pattern – say, an unlikely database request at 3 AM – is flagged as a potential account takeover, and the access system can then log the user out, prompt a multi-factor authentication request, or reduce in-session privileges.

Adaptive technology combines a rule-based approach with advanced analytics and artificial intelligence, or machine learning, and machine learning can figure you out, according to Dan Lohrmann, field CISO for public sector at New York-based systems integrator Presidio.

“It learns behaviors; it learns how you do your work; it learns when you access different types of data, what data are you trying to access,” said Lohrmann. “They can get pretty good at determining how you do what you do when you do it.”

Multi-factor irritation

While the arrival of MFA is surely welcomed by security professionals, contextual authentication brings verification without the continued MFA requests like checking your email or texts—an attractive feature, perhaps, for users that want to log in and get going, said Zach Capers, senior content analyst at software vendor Capterra.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

“Because traditional multi-factor authentication tends to add more friction to the user experience, adaptive authentication is a way to improve security without adding inconvenience for users,” Capers told IT Brew via email.

With adaptive authentication, MFA is not required for every login; only those users with a high-risk score—a user logging in from an unusual IP address, a user who’s not engaging in the expected, learned behavior patterns—are asked for additional authentication factors.

Customers are demanding more frictionless authentication, according to Matt Ulery, chief product officer at identity and access management company SecureAuth—a seamless approach free of multiple requests to prove users are who they appear to be.

“Users right now are demanding the most frictionless environment they could: you don’t like to authenticate. You just want to get into your applications,” Ulery told IT Brew. “On the other side, I’ve got to manage and mitigate the risks. I think the right balance for the right situation is what adaptive is all about.”

Who’s adapting?

Andras Cser, VP and principal analyst at Forrester, sees a host of financial services, e-commerce, and government organizations using adaptive authentication.

“Anywhere where inconveniencing customers can lead to lost revenues,” said Cser, via email.

End-user organizations using adaptive authentication products range in the tens of thousands, Cser told IT Brew, and customers being authenticated using these solutions are in the “high hundreds of millions.”

Many access management platforms now include native tools and analytics that enable some forms of adaptive authentication, said Capers.

As more companies choose adaptive options, employees may need to get used to technology learning things like their typing patterns or keystroke pressure. That kind of surveillance could be “justifiably perceived as creepy,” Capers noted.”

When introducing adaptive authentication technology, Capers told IT Brew, “clearly explain why it’s superior to traditional methods and spell out exactly how user data is protected”—say, through encryption.

“If you can’t do both, user concerns may be valid,” said Capers.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.