Last updated on April 23, 2024
Over the years, Adaptive Authentication has become a popular topic among cybersecurity professionals. And for a good reason. Here’s why standard Multi-Factor Authentication (MFA) may not be enough and how Adaptive Authentication can benefit your workforce.
Multi-Factor Authentication (MFA) Is Not Enough
Back in the day, Multi-Factor Authentication (MFA) was enough. In the first step, you had to provide your login and password. In the second step, you had to tap a push notification or rewrite an SMS passcode. When completed, you were logged in to your account. Simple and secure.
Nowadays, more and more organizations and individual professionals become aware that it is no longer enough to provide a secure login experience. Modern systems are much more advanced – they do not just protect you but also adapt themselves to the circumstances.
From the user’s point of view, there is little to no change. But in reality, their login experience is now wrapped in a new, exciting solution.
What Is Adaptive Authentication?
Adaptive Authentication is a model of a system that modifies user authentication depending on security risks associated with each login.
What this means is that the process of verifying the identity of a user may be different for the same user who logs in to three different applications:
Similarly, a system may ask three different users who log in to the same application to confirm their identity in three different ways.
There are at least two ways to achieve this:
- A system automatically assesses the risks based both on known threats and the current transaction (time of day, geolocation, IP address)
- A system allows administrators to define risk levels based on their assessment of threats and other factors such as user role, IP address, or the perceived security of login
What Is Risk-Based Authentication?
Risk-Based Authentication is a synonym for Adaptive Authentication.
Some experts prefer to use the name Risk-Based Authentication. This makes sense because Risk-Based Authentication (or Adaptive Authentication, if you will) is all about determining the risks associated with authentication.
Username and password are not enough. But you do not necessarily need to apply the strongest authentication factors to all your applications. Not all applications contain important data, and your users want comfort as much as they want security. If you care about user experience, it is best to assess the level of authentication based on the perceived risks. And this is what Adaptive Authentication does.
Multi-Factor Authentication vs. Adaptive Authentication
Adaptive Authentication enables you to apply different flexible strategies to different authentication scenarios based on a defined set of criteria. In contrast, standard Multi-Factor Authentication is static, which means MFA cannot be adapted depending on the circumstances.
Moreover, MFA is a short process. It has a distinct beginning and end. On the other hand, Adaptive Authentication is an ongoing process. It starts long before any user attempts to log in and does not end after the user gains access to an account.
These two solutions are not mutually exclusive. Quite the contrary, combining them results in greater security. Multi-Factor Authentication enhanced with Adaptive Authentication can be very powerful but comes with a challenge.
Challenge
One of the best things about Adaptive Authentication is its flexibility. Unfortunately, flexibility is also one of the most challenging things about Adaptive Authentication.
Take, for example, a situation in which you would like to define different authentication procedures for users logging in to an application. You would like to deny access to user Bob. Also, you want user Alice to log in to one application but not the other. Then, you want to allow user Sam to use a specific authentication method only. That’s just users. What about applications?
“One of the best things about Adaptive Authentication is its flexibility. Unfortunately, flexibility is also one of the most challenging things about Adaptive Authentication.”
One application should allow you to log in using SMS Passcodes, but other applications should not. Another application should allow the use of Trusted Devices but only for a day while yet another application for a week. And then we have another dozen applications… Are you still following? If not, you cannot blame yourself because real-life MFA scenarios can get muddled and confusing. It is, therefore, crucial to find a way out of this chaos and let in some order.
It would not be a stretch to say that Adaptive Authentication is sensational. However, Adaptive Authentication is also a challenge in and of itself and brings more chaos than order if mishandled. Consequently, a security system has to devise a way to satisfy complex requirements while allowing a way to define behavior on the application and user levels.
So far, two things are clear:
- Standard, inflexible Multi-Factor Authentication is not enough for real-life scenarios.
- Adaptive Authentication has to be highly customizable but also clear and simple.
Rublon Solves the Challenge of Adaptive Authentication
A chaotic cornucopia of different applications and all possible ways of handling user access may give you a headache. You need a clean, resilient way of introducing Adaptive Authentication to your workforce.
A reasonable thing to do would be to consider potential risks and vulnerabilities involved with logging in to each application and somehow control MFA accordingly. And that’s what Rublon helps you to do, thanks to the far-reaching power of Access Policies.
Problem
Standard MFA is not flexible enough for real-life scenarios.
Challenge
Come up with a tidy and flexible way to define authentication behavior on application level.
Solution
Introduce the concept of Access Policies to turn chaos into order.
Rublon
Rublon solves the challenge by introducing Rublon Policies.
Rublon Policies empowers you to turn chaos into order using a simple yet impeccable concept of an application-based approach to Adaptive Authentication.
Rublon Policies consists of the Global Policy that applies to all your applications by default and an infinite number of Custom Policies that override the Global Policy. You can assign a Custom Policy to one or more of your applications, so it is possible to create a policy for a cluster of similar applications, e.g., all your VPNs or all your RDPs. Custom Policies are flexible and highly modifiable.
All in all, the concept of Rublon Policies can be reduced to the following essential steps:
- Define a policy.
- Assign the policy to one or more applications.
- PROFIT!
Learn how to control every step of authentication with Rublon Policies
With Rublon, you can also apply Adaptive Authentication to users. You might want to enforce MFA only on selected high-risk users while bypassing all others.
Both application- and user-based Adaptive Authentication is controlled in the Rublon Admin Console, a powerful management tool for you to manage all things Rublon.
Frequently Asked Questions
Find answers to some of the most common questions about Adaptive Authentication.
Why should I use Adaptive Authentication in the first place?
While standard MFA is great in its simplicity and does its job of securing your workforce against unauthorized access, such a static MFA system hardly gives you a way to control the authentication process. Nowadays, users log in to a multitude of applications. A simple approach of defining a static set of rules for all applications is not enough anymore. Adaptive Authentication introduces a paradigm of different rules for different applications based on a set of criteria, most often on security risks involved with each application. Such risk-based adaptive authentication is a much-needed element of every modern company.
Why are Access Policies the best solution to the challenge of Adaptive Authentication?
First of all, access policies are clean and understandable. You do not have to spend time trying to grasp what is going on in your security system because the one-policy-per-application rule eliminates all doubt and confusion. Second of all, Access Policies are easy to modify. You can change a policy for a single application, or many of them, in a matter of seconds, saving a lot of time and effort. Last but not least, Rublon Policies fully integrate with the rest of Rublon’s security measures, so you do not have to worry about compatibility with Single Sign-On or MFA. Rublon Policies are an integral part of the Rublon Admin Console and work out of the box as soon as you register to the Rublon Admin Console.
What are some real-life examples of Adaptive Authentication?
One of our clients uses Rublon Policies to control user authentication based on estimated security risk levels. Their approach is congruent with a common risk-based pattern in Adaptive Authentication and thus proves a good example of Adaptive Authentication in practice. They keep things simple and define just three policies whose names come from the risk levels associated with each policy:
- Low-Risk Policy
- Medium-Risk Policy
- High-Risk Policy
The Low-Risk Policy applies to applications whose estimated security risks are low and allows every user to use all authentication methods. In addition, it asks Rublon to remember the user’s device for up to a week. The Low-Risk Policy bypasses MFA for a defined IP range.
The Medium-Risk Policy applies to applications whose estimated security risks are medium and allows users to use all authentication methods less Email Link. The Medium-Risk Policy allows every user to ask Rublon to remember their device, but the device is remembered for only 24 hours. No IPs are bypassed.
The High-Risk Policy applies to applications whose estimated security risks are high and allows users to authenticate using only Mobile Push or WebAuthn/U2F Security Key. The High-Risk Policy does not allow users to ask Rublon to remember their devices. No IPs are bypassed.
