What is Adaptive Authentication?
Adaptive authentication is a way of implementing 2 Factor Authentication (2FA) or Multi-Factor Authentication (MFA), using a risk based approach and making the authentication decisions adaptively according to the risk level calculated.
Authentication Mechanisms (Factors)

For the background information, the credentials that can be used in authentication process can fall into one of the six authentication factors listed below. Using these factors in a combination and deriving a risk based calculation as the basis of the authentication process is called adaptive authentication.
- Something you know, (also known as Type 1 authentication factor) such as a password, personal identification number (PIN) or passphrase.
- Something you have, (also known as Type 2 authentication factor) such as a smart card, memory card or a token.
- Something you are (biometrics) (also known as Type 3 authentication factor), such as a finger print, palm topology, hand geometry, iris/retina scan or phase recognition.
- Something you do (behavioral biometrics) (also known as Type 3 authentication factor), such as a typing pattern (keystroke dynamics), signature pattern (signature dynamics) or voice pattern.
- Somewhere you are (also known as Type 4 authentication factor), such as a location or IP address with which authentication is conducted.
- Sometime you do (also known as Type 5 authentication factor), such as a time window of opportunity in which authentication is expected to take place.
How Does It Work?
As the name implies, in adaptive authentication, the authentication process gets adapt according to the user’s trustworthiness, which is calculated taking into account two or more authentication factor results. If this risk based trustworthiness value is above a predefined threshold, then the user is accepted to log in to the system. Otherwise, additional security checks are made before allowing or denying the user into the system.
In adaptive authentication, trustworthiness of a user can be estimated in three ways:
- A set of static rules (policies) can be used to determine the risk level of a user, according to the authentication factor metrics.
- An anomaly based approach can be employed, that is, the system can learn the typical characteristics of a user over time and measure the deviations from the learned normal to assign an authentication trust value.
- A combination of both methods can be used.
Common Adaptive Authentication Practices
Though more examples can be given, some of the commonly used adaptive authentication practices are as follows:
Device Recognition (Something You Have): Use of the same or a different device is checked when a login attempt is made the next time. If the same device is used to log in to a system, additional authentication steps might not be requested from the user.
Geo-Location (Somewhere You Are): Any anomaly in the users location from where authentication requests are usually made is detected to require the user to take additional authentication steps before making the authentication decision.
Geo-Velocity (Somewhere You Are): In this method, if the current login location of a user is different from the last login location, then whether is it possible to travel between those locations within the time between two logins is checked. If geo-velocity value is not possible by any means of transportation, then the user is asked to follow additional authentication steps. (Note: You can try using a VPN to log in to your bank account a second time immediately after a normal login attempt to see what happens.)
Authentication Time (Sometime You Do): Any anomaly in a user’s common login times is detected to require the use to take additional authentication steps.
Keystroke Dynamics (Something You Do): In this method, typing pattern of a user during the login attempt is compared against the user’s learned typing pattern to check the trustworthiness of the user.
Difference Between Regular and Adaptive MFA
Note that, all the authentication factors described above can be used both in regular or in an adaptive MFA process. If a rule based algorithm that makes the authentication decision based on discrete values of 0 (Deny) or 1 (Allow) is used, then this approach is regular MFA. If the authentication decision is based on a risk value between 0 and 1, and the authentication steps adapt according to this risk value (that is, the trustworthiness of the user), then this method is called adaptive MFA.
Let’s give an example using the sometime you do authentication factor to explain the difference between these two approaches. If a user can be allowed upfront to log in to a system during normal office hours and denied after office hours, this is regular MFA. Alternatively, if a user gets a trustworthiness value according to the anomaly in the user’s common login attempt times and adaptively further authentication steps are practiced, then this approach is called adaptive authentication.
Relation to Continuous Authentication
Continuous authentication is confirming the identity of a subject or user on an ongoing basis rather than making a single authentication check at login. In other terms, the authentication mechanism continues to verify the identity of a user during the user session.
To give example use cases, if a hardware token is required in addition to a user name and password, the hardware token could be checked continuously to determine if it is still plugged in or not during a session. A more contemporary example is using the keystroke dynamics of a user during a session to determine if the current user is the same person with the logged in user or not.
To learn more about the authentication mechanisms, you could also read our article What Is Multi-Factor Authentication?