Adaptive authentication, often called risk-based authentication, is an access method that attempts to match the required user credentials to the perceived risk of the authorizations requested. Its goal is to try to lessen the security burden on users and provide a better experience, while enforcing strong authentication where it is most needed.
For example of adaptive authentication, a user accessing company resources via VPN from his known home office using an employer-managed PC won’t be required to show any added verification certifications past those given by his PC because the connection request is perceived to be low-risk. Doing the same from an unknown WiFi network during “odd” hours of the day would require the user to present added verification such as a password, OTP, or both, in light of the fact that the action presents a potential hazard to the network as admins and risk models would deem.
In a consumer example, a user shopping on an e-commerce website won’t be required to present any verifications when accessing to the application at first, or adding things to the cart, on the grounds that these tasks present little risk to the shopping platform. During checkout, however, the user would regularly be required to show a password or some other verification since a financial transaction is seen to be a higher-risk activity that mere access.
Going further, in a banking example, web based financial consumer would only be required to enter a username and password to view her account, yet when attempting to move funds from one account to another, she would need to answer challenge questions on the web, or enter an OTP code from the bank-issued hardware OTP key.
“Our website is seeing an increase in malicious activity from different locations. We’re going to use adaptive authentication to customize access requirements based on the user’s behavior.”