Adaptive and multi-factor authentication: What is the difference and what are the benefits?

Posted: September 22nd 2016

Understand multi-factor authentication (MFA) but not adaptive authentication? Not sure where one term ends and the other begins? Keen to know what all adaptive noise is about? Read on…

MFA & adaptive authentication: what’s the difference?

Think of it like this: Adaptive authentication is an evolved form of MFA.  It applies the principles of MFA, but instead of issuing blanket procedures for everyone to follow under all circumstances, it issues challenges intelligently instead, according to a predetermined risk model. This enables an organisation to apply precisely the right level of gateway security to each and every login request.

An adaptive system is purpose-built to measure the risk of a user’s login, along with their post-login activities, to determine the level of risk their access request poses to the business. Appropriate levels of authentication are then triggered to protect an organisation’s data, websites, portals, browsers and applications.

What are the benefits of adaptive authentication?

There are a variety of significant benefits that set adaptive authentication apart from traditional multi-factor authentication:

It optimises the user’s security experience.

None of us want our network experience to be inhibited by needlessly heavy-handed levels of authentication. At the same time, however, we all accept that some access requests require more security than others. Adaptive authentication enables precisely the most appropriate level of ‘friction’ to be applied to each and every access request. Looking beyond traditional binary authentication to adaptive risk-based solutions allows companies to maintain strong data security but not at the expense of usability.

It enables the IT department to embody an organisation’s risk policies.

An organisation can lock down its most sensitive gateways with strong multi-factor authentication, ensuring only those with network clearance can participate in the authentication process (blocking entry completely for everyone else). At the same time, unfettered access (or a weaker form of authentication like a username and password) can be applied when access to non-sensitive data is requested.

It solves the BYOD security headache.

In the age of BYOD, everyone wants to access corporate data remotely, from different devices.

Not only can adaptive authentication differentiate between different mobile devices (and their varying security vulnerabilities) it can also address the risks associated with the remote access networks used to connect to the corporate gateway. For example, if an employee uses a lower risk connection, like connecting their work-protected laptop to the corporate network while in the head office, an adaptive authentication platform could apply only a basic authentication challenge, such as a username and password. Should that employee switch to their personal smartphone, however, and attempt to connect beyond the network perimeter, via Starbucks public Wi-Fi, for example, an adaptive authentication platform would automatically recognise the increased in risk and apply a stronger authentication challenge before granting access, if indeed it grants it at all. All such scenarios can be planned for, assessed for risk, and dealt with accordingly.

It evolves in line with the evolution of the business.

With an adaptive authentication solution, the benefits of mobility and remote access can be harnessed without sacrificing security. Need to expand a remote workforce? No problem. The Board approves a new remote working policy? Great – let’s set the risk parameters and enable everyone to connect in the most convenient manner possible. Need to respond to an overseas cyber threat? Now you can do so precisely by locking down access requested that conform to a defining set of criteria, enabling the rest of the business to continue to function uninterrupted.

Who uses adaptive authentication?

Adaptive authentication has been successfully applied to verify the identity of access requestors across a variety of different sectors, particularly in government services and banking. As the popularity of the system increases, so too does the information gathered in order to provide a risk-of-fraud assessment. Information such as geo-locations, behavioural profiling and device profiling allow for an increasingly varied data range that is enabling adaptive authentication to become perpetually smarter and more efficient.

Keen to learn more? Check out our approach to adaptive authentication here.