What is Adaptive Multi-factor Authentication (MFA)?

In 2016 over $80B have been spent on Security, yet 66% of companies were still breached, and Forrester states that 81% of breaches involved compromised credentials in the form of either stolen or weak passwords.

I covered in one of my previous blogs the cost of protecting yourself, which according to a study by Ponemon Institute in 2015, the mean annualized cost for 58 benchmarked organizations is $15 million per year.

So, now that we understand how expensive it is to get hacked (which many of us probably knew along), I want to state the obvious: In today’s IT world, relying on simple username and password authentication is not enough to protect critical business data and systems against the more and more sophisticated growing number of cyber-attacks.

The Need for Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) allows enterprises to protect access to their applications and systems without breaking the bank.

With MFA, users must provide two or more “factors,” of authentication when they access applications, networks, and or resources. MFA implementations use a combination of the following factors:

• Something you know, such as a username, password, PIN, or the answer to a security question.
• Something you have, such as a smartphone, one-time pass token, or smart card.
• Something you are, biometrics like your fingerprint, retina scans, or voice recognition.

But if MFA is implemented the wrong way it can become an “in your face” authentication experience if you are constantly prompted for a second factor every step of the way. To make access to systems and applications more “user friendly” without compromising security, the adoption of adaptive MFA is the next logical evolution.

Adaptive Multi-factor Authentication

Adaptive MFA is a way that multi-factor authentication can be configured and deployed in a way that the Identity Service Provider (IDP) system will select the right multiple authentication factors depending on a user’s risk profile and behavior as part of an ongoing process, instead of applying risk evaluation and elevation only during the authentication process once. Well, it’s also to adapt the type of authentication to the situation.

There are three ways that adaptive authentication can be configured depending on the IDP’s capabilities:

1. One can set static policies defining risk levels for different factors, such as user role, resource importance, location, time of day, or day of the week.
2. The system can learn the typical activities of users based on their tendencies over time. This learned form of adaptive authentication is similar to behavioral correlation.
3. A combination of both static and dynamic policies.

And a sophisticated adaptive authentication IDP system should provide more than just the use of OTP tokens like RSA Secure ID, Symantec VIP, or similar. A sophisticated adaptive authentication IDP system should support many MFA mechanisms like mobile push notifications, derived credentials, SMS verification, and more.

Regardless of how you would define your corporate risk levels, adaptive authentication should adapt to that risk level, presenting the appropriate level of authentication for the given level of risk. Unlike standard, one-size-fits-all authentication elevation, it avoids making low-risk activities inappropriately burdensome or high-risk activities too easy to hack.

Adaptive authentication should look at the following:

• Device Profile: What system is the request coming from? Is this a system I have seen before, is this a corporate-issued device?
• Location Awareness: Where is this request coming from, is this a “risky” IP address range, is this coming from a “risky” country? How did the user get from San Francisco to some other country in one hour? This isn’t the usual location from which this user is logging on.
• User Behavior: Why is the user accessing those servers/applications/data? He has never done that before.

Using adaptive MFA for accessing applications and resources makes it easy for IT and the end-user, which results in a “happier” user force and protects your enterprise.