Nowadays, just a username and password alone may not be enough to protect critical data and systems from the rapidly growing varieties of Cyber Attacks. To fight against these booming offensive maneuvers, the need for more security precautions in addition to the traditional username-password logon has been become a key requirement for most systems.
Adaptive Authentication was developed as a solution to fix this emerging issue. It is a type of dynamic Multi-Factor Authentication which can be configured and deployed in a way that the Identity Provider can provide the necessary levels of authentication by analyzing the user’s risk profile.
The following are a few main types of adaptive authentication that have been implemented.
This is a type of authentication where the levels of security being used change dynamically with the properties of the device from which authentication requests are being made. Device Recognition is for checking whether the user is logging in from the usual device or a new device — which the system would identify as a suspicious login. The system analyzes the identity of the device and adds extra security levels if the current device profile is different from the user’s device profile history. For example, if the user tries to log in and request authentication from a new device, the system would identify the login attempt as suspicious and add an extra authentication step (Multi-Factor Authentication) to increase security. If the device used is blacklisted, the system could even terminate the authentication process and deny access to the user from that particular device.
Authentication levels for users are changed based on the attributes assigned to different users. This can be done by grouping the users into separate user stores with particular attributes assigned to each user store. Different authentication schemes will then be applied for each attribute. A common example for this is a PoS system. Cashiers will be able to log in to the system in a single step and carry out the usual tasks. In the event an administrative event is triggered, such as altering sales records or deleting records, an extra factor for authentication will be requested to authorize the event.
In this method, users are authenticated by the system based on their geographic location. Another term used for referring to this type of Adaptive Authentication is Geo-Location. The probability of a user login being legitimate is calculated based on the location of the device used. The system should be able to identify the location of the user’s device and continue with the authentication process if the identified location is allowed and whitelisted. This is mainly by obtaining and checking the IP address of the device or by directly checking the GPS information if the GPS feature on the device is operational. Based on the location identified, the system should be able to control the access to resources. A wide use of Geo-Location is authenticating the use of credit cards. When a credit card is used, the location of the origin of the transaction is compared with the location of the mobile phone of the user. If the two locations do not coincide, the system could consider the credit card as suspicious and request authentication from the user’s phone or even terminate the transaction.
This type of Adaptive Authentication is based on the user’s behavioral attributes that have been learned by the system over time. The system analyzes the behavior of the user and check for major deviations from their usual routine. The system can choose to authenticate the user with a simple step or add more levels if the system detects a change in behavior. For example, if a user only logs into the system in the daytime, the system can deem a nighttime login as suspicious and use Multi-Factor Authentication to authenticate the user.
Geo-Velocity is another type of Adaptive Authentication categorized under Behavior-based Authentication, which is concerned with the current location and the locations of the user during previous logins. Here, the system considers different modes of transportation available for the particular locations, along with their travel schedules, and checks whether a login from the new location is a probable event. If the system detects a probable change in location, it would simply use Multi-Factor Authentication. In the event of an improbable event, for example, if a user logs into the system from Sri Lanka at a particular time, and then a short while later another authentication request comes for the same user from UK, the system will consider this as an impossible scenario and terminate the authentication.