8 Oct, 2018

4 Reasons to Use WSO2 Identity Server for Adaptive Authentication

  • Ishara Karunarathna
  • Associate Technical Lead - WSO2

Say Hello to Adaptive Authentication

Traditional username-password authentication is no longer enough to protect critical data and systems. Multi-Factor Authentication (MFA) is one way to provide a more secure user credibility for a given application. Even though MFA can increase the security of the application, it reduces the usability aspect of the application since users have to go through several steps of authentication every time they try to login to the application.

This is where adaptive authentication comes into play, providing security along with the enhanced usability. Adaptive authentication is an evolved form of MFA where authentication steps can be configured and deployed in such a way that the system would decide which steps to evaluate during the authentication process depending on the user’s risk profile and the behavior. If the risk level is high, the authentication layers can be tightened whereas if the risk level is low, then several authentication layers can be ignored.

Benefits of adaptive authentication

Adaptive authentication ensures a healthy balance between security and usability by removing unnecessary friction from the user and improve the security of the application. Adaptive authentication evaluates contextual and other correlated data to make an intelligent decision on user identity.

Adaptive authentication policies should evaluate a combination of user identity attributes, geolocation, user activity, and IP address for deciding how to route the authentication request. A perfect adaptive authentication solution should be able to evaluate a wide variety of inputs and produce a real-time decision on the precise level of authentication for each scenario.

Different organizations have different authentication needs. Therefore the adaptive authentication provider should give the user the opportunity to differentiate the solution and implement their own set of authentication policies.

WSO2 Identity Server combines multi-factor authentication and provides adaptive authentication with intelligent and real-time risk analysis, optimized user experiences, and easier compliance. Catering to all these features, WSO2 Identity Server provides the best adaptive authentication solution in the market.

Benefits of using WSO2 Identity Server for adaptive authentication

  1. Bring complex authentication policies in a simpler manner

    WSO2 Identity Server (IS) adaptive authentication implantation comes with a rich script based policy language which helps you to overcomes the barrier enforced by traditional UI tools. The management console of WSO2 Identity Server has a powerful authentication script editor to establish new policies easily. The usage of a JavaScript(JS) like language to implement complex authentication policies has reduced the complexity level. This feature allows you to define a dynamic authentication sequence based on the written script.

    The ability to configure adaptive authentication as a combination of static and dynamic policies is another plus point in the WSO2 Identity Server adaptive authentication solution. Static policies such as user roles, user attributes, and user stores, and dynamic policies such as user tendencies defined on device usage, IP range, geo velocity can be concerned when implementing a policy for adaptive authentication.

  2. A comprehensive toolset to design your adaptive authentication sequence

    The feature-rich user interfaces in WSO2 Identity Server provides a comprehensive toolset to design your adaptive authentication sequence. There is a set of predefined adaptive authentication templates that covers almost all the industry

    use cases such as role-based, user-age-based, tenant-based, user store based, IP-based, new device based, ACR-based (Authentication Context Reference,) and risk-based adaptive authentication well described here. Thus, the administrator can gain the advantage of generating a new policy by a slight deviation on an existing template in a few minutes. The availability of templates provides a significant time-saving foundation for adaptive authentication policy making.

    An authenticator handles the user verification to applications. It is a basic requirement for any adaptive authentication provider to have a rich set of authentication with different factors. WSO2 Identity Server supports a large range of third-party authenticators such as Facebook, LinkedIn, and Email OTP. An identity provider can be configured for the desired third-party authentication system to validate the user logins to an application. Multiple third-party authentication systems can be configured to handle a single authentication request in multi-factor authentication.

    By default, WSO2 Identity Server is shipped with username/password based authentication. The security of the authentication can be strengthened by adding additional authentication steps. WSO2 Identity Server allows configuring multi-step authentication where you can define an authentication chain containing different authenticators in different steps. WSO2 Identity Server has comprehensive support for multi-factor authentication, with authenticators available for SMSOTP, FIDO, MEPin, and more.

  3. Open, future-proof adaptive authentication platform

    WSO2 Identity Server adaptive authentication solution can be defined as an open and future-proof adaptive authentication platform. Hence, WSO2 Identity Server has become a leader in identity providers. It has a developer-friendly approach and not a vendor-specific solution. The user is not restricted among the available policies in the predefined templates.

    WSO2 has a connector store with more than 200 free and open connectors for popular business-critical services. These connectors allow the WSO2 Identity Server to obtain the services from external systems and integrate with them easily. WSO2 Identity Server code base is publicly available on Github and is self-sufficient with comprehensive documentation, tutorials, and self-guiding examples. Therefore the customers can modify and reuse the components provided in WSO2 Identity Server.

  4. Designed to quickly integrate with risk engines and external system

    WSO2's adaptive authentication feature is designed in such a way to quickly integrate with risk engines and external systems. As the default engine, WSO2 Stream Processor is configured as the risk engine for adaptive authentication policies. WSO2 Stream Processor is a lightweight, lean, streaming SQL-based stream processing platform that allows you to collect events, analyze them in real-time, identify patterns, map their impacts, and communicate the results within milliseconds. This product can be configured as the risk engine to evaluate the user authentication details for risk-based policies


Due to the frictionless experience that adaptive authentication caters to the users rather than disruptive MFA, adaptive authentication has become a future green light of authentication process. However, that advantage gives a more value-added feature to users/ admins only if the best IDP with adaptive authentication solution is selected.

As highlighted above, WSO2 Identity Server provides an adaptive authentication solution which prevails over other competitive solutions. The super ability of script based policy language to reduce the complexity and cater the features to users in a simple manner, the comprehensive toolset to design adaptive authentication features, and open source- future proof- extensible platform are the main reasons to embrace the WSO2 adaptive authentication solution.


About Author

  • Ishara Karunarathna
  • Associate Technical Lead
  • WSO2