Skip navigation

Managing Risk With Adaptive Authentication

The problem with authentication is that one factor doesn’t fit all — in fact, it hardly fits anything anymore. With a password being guessable and reusable, it’s a weak security control that can be attacked at scale. Adding a second factor to the mix bolsters that control, but it also starts adding friction to the login experience. CISOs now have to balance managing risk with multiple authentication factors against usability, and that’s where adaptive authentication comes in.

If you think of authentication factors as being like a hand of cards, you can play the cards that you think are appropriate at each point in your game. The most common factors are:

  • Something you know (such as a password, or something in your personal history, or a shared secret)
  • Something you have (a token, card, certificate, key, app instance, or other unique item)
  • Something you are (a fingerprint, a typing behavior, a retinal pattern, a voiceprint)

There’s also the option to allow more than one factor in each category. Theoretically, it should be harder for an attacker to compromise an account as the factors get piled on. This is why challenge questions may be as few as one and as many as five, depending on how likely they are to be guessable. The “thing you have” may consist of a mobile phone, a certificate, a voice line, a U2F token, a set of offline codes, or all of the above.

To get even more factors into the mix, you can lay down additional restrictions in your policies, such as permitted network address ranges, device hygiene levels, allowed or blocked geographic locations, corporate-managed endpoints, expected usage hours in a day, and baselined behavior.

You can use anything that reassures you that this is probably the same user you enrolled, or that excludes anything you don’t expect ever to see. For example, if you don’t expect your users to connect from outside of North America, you can reduce your potential attack surface by blocking access from everywhere else. (But be ready to manage exceptions to that rule, because for each policy, there will be an equal and opposite exception).

Note, however: if you rely too much on location as a factor, then you fall into the perimeter trap that has affected so many enterprises, where an attacker has free rein on an internal network once they’re past the firewall.

When you have reason to doubt one of the factors — is someone else replaying that password? Did someone steal the phone? — then you lean more heavily on another factor to compensate. You ask for some additional secret information, or you ask the user to produce a fingerprint. By juggling different factors to rebalance the risk, you’re employing adaptive authentication: adapting to the current estimated level of risk at the time of login.

Which cards you play might depend on whether it’s early or late in the game, what cards have already been played, or what you think the house is holding. Is this a new device? Ask the user to enroll it, providing more shared-secret factors such as a code that the help desk gives them over the phone, or by sending a confirmation to the old device, or by having the user authenticate to a different application first. With adaptive authentication, you’ve developed a strategy for each circumstance, or use case, to match the risk level you assume.

Because usability comes into play, there are also several reasons why you might adapt your authentication factors. A user currently in an area with little-to-no cell coverage might have to fall back on Wi-Fi or a token; it’s hard to use a fingerprint reader when you’re having tacos or ribs for lunch.

As mentioned above, more factors mean more friction, so another popular feature in many systems allows you to “remember” a user or a device and stop asking for the additional authentication factor over a period of time (say, a multi-hour session, or calendar days or weeks). Again, by adding or removing the requirement for certain factors under different circumstances, you can adapt the cards you play or keep. You need to keep your users happy and, at the same time, protect against the most likely threats.

Adaptive authentication helps you choose the right tools for the job at the time, without locking you and the user into one set of factors for everything. By taking advantage of flexibility, understanding the risk with different workflows and circumstances, and reducing friction in the login process for your users, you can achieve the right balance of controls. Knowing when to hold ‘em and when to fold ‘em is an important part of your dynamic security program.

Wendy Nather

Principal Security Strategist

@wendynather

Wendy Nather is a former CISO in the public and private sectors, and past Research Director at the Retail ISAC (R-CISC) as well as at the analyst firm 451 Research. She enjoys extreme weather changes while shuttling between Austin and Ann Arbor.