8 Oct, 2018

4 Reasons to Upgrade Your MFA to Adaptive Authentication

  • Chamath Samarawickrama
  • Software Engineer - WSO2

What is Multi-Factor Authentication (MFA)?

About two decades ago, when individuals began to use online services for accessing applications, they came across the need for authentication. At that time, the concept of user ID and password was more than enough. With the growth of online businesses, the number of users of these services have increased dramatically and such simple methods were deemed inadequate. Additionally, when it comes to risk levels, user ID and password authentication has a high risk of going through brute force attacks, data breaches, and stolen credentials. Processing speeds of CPUs have increased, so brute force attacks are a reality and dictionary attacks have become a common threat. GPU password cracking and rainbow tables have provided similar advantages to attackers.

Multi-Factor Authentication (MFA) emerged as an answer to this problem, where it created a layered defense and made it harder for an unauthorized person to access a target such as a physical location, computing device, web service, network, user account, or a database. The MFA concept is based on the assumption that if one factor is compromised or broken, an attacker still has at least one more line of defence to breach and therefore is more secure.

MFA relies on two or more secondary factors from the three categories below.

  • Knowledge factors - Things only the user knows, such as personal data or a password
  • Possession factors - Things only the user has, such as ATM cards
  • Inherence factors - Things only the user is, such as a fingerprint

The end user is authenticated using a combination of two or more factors. A basic example is when withdrawing money with an ATM card, the card is the possession factor and the pin number is the knowledge factor.

Challenges with Legacy MFA

Even though MFA provides additional and better security for end users, it isn’t perfect. There were practical problems with the implementation of this concept right from the beginning, and those problems seem to have become severe with the increase of consumers and services.

People Just Don’t Use MFA

During the last few years, well known social identity providers such as Facebook and Google have tried to promote setting up two-Factor Authentication (2FA) for their services and as a result, they’ve managed to streamline setting up 2FA long before the competition. Hence, individuals coming from such environments expect a similar level of streamlined experience with every other service.

Having MFA means the user will have to be redirected to a separate service in order to get authenticated. Even for a fairly simple SMS One Time Password (OTP), a user has to get out of the flow of actions with the actual system and check for the SMS. Other authentication factors are doing far worse. Checking on an email, using a fingerprint device, physical key device, etc. all have the same impact. This would hinder the user experience and as a result, they will be driven away.

Inherent Security Vulnerabilities in MFA Mechanisms

Although the concept of MFA was introduced with a more secure digital world in mind, its implementation contains inherent security vulnerabilities in itself. For example, we can consider the use of SMS based MFA, which is the most popular multi-factor authentication we use today. Attacks on political activists in Iran, Russia, and even in the US have shown that determined hackers can sometimes hijack the SMS messages that are meant to keep you safe. "SMS is just not the best way to do this," says security researcher and forensics expert Jonathan Zdziarski. "It’s depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control." [1] As it turns out, SMS OTPs have become the weakest link in the so-called secure authentication process.

Legacy MFA solutions, due to its static nature, lack the ability to continuously process the dynamic context of an authentication procedure. Hence, these solutions prompt the exact same, pre-configured authentication steps disregarding the contextual risk scores and threat vectors in the authentication flow. This invites the attackers to devise sophisticated attacks to target this predictable nature of a legacy MFA solution and breach its security mechanisms.

OTP based MFA is vulnerable to man-in-the-middle attacks as well. For example, an attacker can simply thwart this type of out-of-band, two-factor authentication by tricking a user into visiting a counterfeit website. As it looks exactly like the site the user intended to visit, they enter their login credentials into the fraudulent site believing it to be the real deal. The attacker actually forwards these credentials onto the legitimate site, which then sends the user an OTP. The user, still unaware anything is wrong, enters the OTP in the fake website and the attacker sends them to the legitimate website, having gained full access to the account in the process.

Authentication Can’t be One-Size-Fits-All Anymore

The most alarming fact about multi-factor authentication as we understand its static nature. You can set it up in your organization where all users have to enter an SMS OTP for login,use a fingerprint device, or any other available secondary factors. But the process stops there. If you set up SMS OTP, then everybody has to enter SMS OTP. Even for a fairly small task such as login and accessing their own profile info, individuals have to wait on their mobile phones and enter the SMS OTP.

The time has come where we need different authentication mechanisms that are carefully drafted for each use case. These use cases should be different depending on the users; their locations, their behaviors, the type of tasks they intend to do, etc. As a simple example, we can consider the above-mentioned use case where a user tries to view the basic details of his/her account. We can simply request for basic authentication in these kinds of scenarios. If a user wants to view more sensitive data or change their details, we can prompt them for a secondary authentication.

The world is complex; one user can have multiple smartphones, a laptop, a tablet, and a desktop computer to access his/her digital life. What if your system has set up strong multi-factor authentication for better security and the users have to enter a second OTP when logging in from all of their devices? This results in a total of four devices and four separate OTPs for each one. How would this impact the user experience?

Extensive Authentication Mechanisms Affect Productivity

At the beginning where MFA was first introduced, there were only a handful of logins for a system to manage. But now this amount has been multiplied by several variables and we’re in an era where even medium sized companies have hundreds of logins per second to deal with. It's true that the processing powers and memory resources of our servers have also increased as well. But we have to agree that it will not be enough for the requirements we’re going to face in the near future. The problem gets worse when we have to process MFA for each login as well.

On the other hand, think about the time a user has to spend for a login attempt just to log in to your online service. It takes about 30 seconds to a minute on an average for a SMS to be received by a user. And with the numbers we’re dealing with, the 30 seconds spent waiting has to be multiplied by hundreds or thousands. Can you imagine the extent of valuable business hours we are wasting in the name of security?

What if we could use simple usernames and passwords for individuals that are in secured environments and ask for MFA from others? Employees who want to log in to the system from the internal network can simply use their credentials and those who are in an external network have to enter the second factor. If only we had a flexible mechanism to keep both the productivity and the usability at a balance with security.

Well, turns out there is!

MFA and Adaptive MFA: What’s the Difference?

Ensuring maximum security while providing reasonable usability is a continuous tradeoff. When using Customer Identity and Access Management (CIAM) or Employee Identity and Access Management (EIAM), it’s important to provide your end user with a frictionless experience to log on to applications and devices. But, given the volatile nature of user devices, networks, locations, and usage contexts, you may have to provide various measures such as MFA to authenticate users appropriately.

This is where adaptive authentication comes in. In adaptive multi factor authentication, steps can be configured and deployed in such a way that the system would decide which steps to prompt during the authentication process, depending on the user’s risk profile and their behavior. This enables companies to precisely apply the right level of gateway security for each login request instead of static procedures for everyone to follow, under all circumstances.

How Adaptive Authentication Overcomes MFA

Diminish the Imbalance Between Security and User Experience

OTPs can be obtained via an SMS channel, or can be generated by the user with an app like Google Authenticator which makes use of a predefined algorithm. In either case, it requires a change in the UI of the application we are trying to secure, and the user is forced to switch to another service to obtain this OTP. Next, the user would have to copy the OTP, and switch back to the original application and re-enter the obtained OTP. Verifying the OTP can take some time as well. Repeating this process results in a sub-optimal user experience.

UX must be a key focus for every digital business. “a well-designed user interface could raise your website’s conversion rate by up to a 200%, and a better UX design could yield conversion rates up to 400%.” [2] However, maintaining a good UX without compromising security and functionality remains a challenge.

With adaptive authentication you can introduce new functions and fields to a script based on your requirement, and then engage the script to the service provider authentication step configuration. These scripts can be implemented to follow the evaluation criteria such as user attributes, user behavior, risk analysis statistics, and machine learning algorithms.

Adaptive MFA acts as an extra layer of security where it only interferes if the risk evaluation for a specific scenario is deemed high. In simple terms, during a login attempt a user has to enter the second factor to the system only if the risk evaluation has been decided as such. This will lessen the friction in low-risk activities and provide a relatively better UX.

Improved Security with Adaptive MFA

Adaptive multi factor authentication is capable of providing enhanced security with contextual data considered during authentication. It continuously processes risk vectors and manages access to applications and resources accordingly. This means, instead of applying risk evaluation and elevation only during the authentication process once, they are continuously evaluated as part of the process while accessing information to determine whether to allow any request for a resource.

Adaptive MFA can elevate the level of authentication in high-risk scenarios by prompting additional authentication via OTP MFA if the login attempt shows an anomalous behavior. This would be the case if the risk vectors result in a high-risk scenario. For example, authenticating in certain geo-locations, authenticating via a network which shows suspicious activity, high profile online transactions, etc. are good examples.

A risk score can be continuously calculated according to an algorithm (a predefined set of rules). This process would take in the behavior of each user when evaluating a risk score. According to the evaluated risk score, the level of authentication to be prompted would be decided.

The risk evaluation process may consider the location, time of the request for a resource, and keystroke dynamics. After this information is factored in, the evaluation algorithm should detect any suspicious behavior.

Flexibility with Adaptive MFA to Meet Corporate and User Needs

The major drawback of the traditional MFA method, which is solved by adaptive multi factor authentication, is flexibility. Adaptive authentication can apply diverse and different methods to unique use cases. Based on security strength, IT benefits, user benefits, and cost, we can set up the process to figure out the best method of authentication for a particular user trying to do a particular task, from a particular geolocation in a particular time period.

Let’s talk about some example use cases. Do you remember the use case mentioned above where a user logging in from an ip address belonging to an internal network versus a user login from an ip address belonging to an external network? With adaptive authentication, you can achieve the solution discussed in here. Based on a number of factors on the authentication attempt, the system can decide whether to let the user access with just the username and password.

Another example would be an individual sending a fund transfer using a bank mobile application installed on his/her smartphone. If it were just MFA with SMS OTP, the system would send the OTP message to the same phone. Would it be practical to send an OTP SMS to the same device? What if the phone was stolen? The system has to be intuitive to decide not to send the second factor to the same device.

Improved Productivity with Adaptive Multi Factor Authentication

As discussed earlier, providing multi factor authentication repeatedly is time consuming and therefore affects productivity. What if we can reduce these time overheads while keeping the security in place together? Adaptive authentication can do just that. It’s capable of responding to the context of the user and device, enabling them to improve productivity by stepping down authentication requirements in low-risk situations.

Since the mechanism considers other external factors about the authentication attempt such as the behavior pattern of the user, the location of the user, time period, etc. adaptive authentication can accept a login without 2FA.


As discussed above, adaptive authentication can provide a more frictionless experience for users compared to its legacy counterpart due to its dynamic contextual threat analysis and its intelligent use of precise levels of security. Additionally, adaptive authentication can alleviate the aforementioned drawbacks of legacy MFA solutions and act as an extra layer of security for the system. Going forward, it would be obligatory for businesses to adopt adaptive authentication in their security solutions considering the escalation of the level of sophistication in cyber attacks. Hence, more intelligent solutions than the currently-in-place legacy MFA solutions would be required if an organization is perceptive towards its security posture. Due to its ability to mitigate the defections in legacy MFA solutions and its provision as a strong base for scalable, efficient security solutions, it’s high time that organizations upgrade from their legacy MFA solutions to adaptive authentication.


  1. Greenberg, A. (2017, June 03). So Hey You Should Stop Using Texts for Two-Factor Authentication. Retrieved from
  2. Paunovic, G. (2017, November 28). The Bottom Line: Why Good UX Design Means Better Business. Retrieved from

About Author

  • Chamath Samarawickrama
  • Software Engineer
  • WSO2