8 Oct, 2018

5 Instances to Use Adaptive Authentication

  • Darshana Gunawardana
  • Senior Technical Lead - WSO2


Adaptive authentication is a secure and flexible form of authentication where you may need to validate multiple factors to determine the authenticity of a login attempt, before you grant access to a resource. It uses a range of factors from user behavior, devices used, to other variables that determine whether this user is potentially dangerous. The factors that you need to validate depend on the risks associated with a particular user access request. The authentication risk is checked without users being aware of it and multi-factor authentication (MFA) is applied only if the associated risk is high.

Adaptive authentication is an appealing option due to the balance it provides between security and usability. When a user decides to log in to an application, the security component is increased by activating an authentication step or by creating real time MFA automatically when improper authentication is found or by detecting fraud. Usability or convenience is ensured depending on the trustability of the particular user or adding additional security layers against an untrusted user.

Use Cases of Adaptive Authentication

Adaptive authentication concerns with providing context based authentication options for increased usability. These would include environment, device, attribute, behavior and risk based authentication as illustrated below.

Environment Based Authentication

Environment based authentication occurs when users are authenticated based on environmental factors such as geographic location. The probability of the user being legitimate is checked by using the device location, identifying unlikely travel routines, and blocking users in deny listed locations.

In order to authenticate users through their geo-location, the identity provider must have the ability to identify the location of the user and authenticate him/her if the identified location is allowed to be authenticated. This is mainly done by checking the IP address of the device being used. GPS information can also be used if GPS on the device is operational. When mobile devices are used, this action is performed by triangulating cellular signals from service towers. Based on the location information obtained, the identity provider can control the limitation of access to resources. Geo-location is commonly used to authenticate use of credit cards for users. When a credit card is used, the location of the origin of the transaction can be compared with the geo-location data obtained from the user’s phone to check whether the credit card activity is suspicious and request for authentication from the user’s phone if needed.

Device Based Authentication

Device based authentication occurs when levels of security used for authentication dynamically change based on the properties of the device being used to request for authentication. This type of authentication is performed in 2 ways - either by analyzing the identity of the device (device recognition) or the context of the device (device context).

  • Device Recognition

    Device recognition introduces additional security levels if current device profile is different from the profile history. For example, suppose the device used for login is new. In such instances, we can add a new authentication layer such as MFA for further security. If the device detected is found to be a stolen one, the system terminates the authentication process.

  • Device Context

    Device context uses operation system configuration and geo-location. We can add different security levels, depending on the OS version used. Certain applications may not support older versions of the OS as these applications require a higher level of security which are non-existent in older versions.

Attribute Based Authentication

Attribute based authentication is done when attributes assigned to users are used to authenticate users in different levels. We can group users into separate user stores and implement different authentication schemes for each user store. Other common attributes that are considered for authentication include user age, user type, and user roles. For example, in a POS system, a cashier will be able to log in to the system with a single step and perform general tasks. For administrative tasks such as deleting or altering a sales record, needs to be done, extra factors for authentication will be requested to authorize privileged access.

Behavior Based Authentication

There are 2 ways to perform behavior based authentication - through user behavior and the use of geo-velocity.

  • User Behavior

    This type of authentication analyzes the behaviour of users to check for deviations from usual routines. Authentication is done by analyzing the information obtained from user interactions with the device. For example, the system may record historical data of the login times of a user and identify the usual times the user has accessed the system. In the event of a login at an unusual time, the system may ask for more factors for authentication.

  • Geo-Velocity

    This method of authentication is concerned with the current location of the user and the location from which the user has logged-in previously. This is done by considering the different modes of transportation available and their travel schedules, and identifying whether a particular user login from a certain location is a probable event. For example, if a user logs in from Sri Lanka at a particular time and then a short while later another authentication request comes from USA, the system will identify that this is an impossible scenario and may ask for an extra factor for authentication or even terminate authentication.

Risk Based Authentication

Risk based authentication is used when users are granted access based on a risk score calculated for a certain series of events. Various factors are considered by the risk calculating algorithm, such as the size of the user base, sensitivity of the resources requested, criticality of the system, geolocation, IP addresses, and the status of firewalls and anti-virus software of the device.


The use cases explored in this article clearly show how adaptive authentication works on different domains.The primary advantage of adaptive authentication is that it requires minimal human input. No one has to manually determine the rules or correlate different activities to identify elevated risks. It works dynamically and increases MFA steps depending on a user’s login attempts by its own intelligence. From a user’s perspective, they want to have strong security and convenient authentication. Adaptive authentication MFA improves user experiences. Instead of requesting the user to provide multiple authentication factors, the user will only be asked for an additional factor when necessary. We can conclude that adaptive authentication provides security and convenience authentication.


About Author

  • Darshana Gunawardana
  • Senior Technical Lead
  • WSO2