FLY:D on Unsplash

So what exactly is Adaptive Multi-Factor Authentication?

Ljubica Lazarevic
Nov 7 · 4 min read

Introduction

With the explosion of apps and online services, strong security methods on authentication have never been so important. We’re asked for codes, references and other details to verify that we are who we say we are. But have you ever wondered what all of these different authentication mechanisms are and what they do?

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication is an authentication approach that requires a user to provide at least two verification types (known as factors) to get access to a resource such as a website, a mobile phone app, or other services. Users will typically use factors such as one-time passwords (OTPs) delivered via SMS and email, or apps such as Google and Microsoft Authenticator.

What is Adaptive MFA and why is it useful?

MFA is extremely important, especially when dealing with sensitive data or accessing special services such as organizational operational data, personal information, and banking.

  • Number of login attempts.
  • Evaluable Execution Context — injectable variables such as request parameters, so if someone comes from a certain domain we can skip MFA.

Remember my device (please!)

Another thing we can do to pragmatically cut down the number of times MFA is requested on a specific device is to consent to having our device remembered for a period of time. When a user goes through the login process, they are presented with the option for their device to be remembered. If they opt in for this, then for a specified number of hours/days their device will be remembered, and the user will not be prompted for an additional factor for authentication, thereby improving the overall login experience. Note that Adaptive MFA is still well and truly in the picture and, as discussed above, should unusual behavior be spotted, it will override the request to remember the device.

But my phone is all the way downstairs…

MFA alternative verification methods are also supported. The provider of the service can allow a user to enroll with a specific factor, e.g. Google Authenticator. They can also allow a number of different factors for the user to choose to authenticate themselves with, e.g. an email. In this way, as the user goes through the login flow, and for example, doesn’t have access to their phone, they can choose another factor that is more convenient to them.

Wrap up

We’ve provided an overview of what MFA and Adaptive MFA are, and the powers they bring in, not only providing sound security around application and service access, but also the ability to apply a pragmatic and great user experience across the login flow.

Geek Culture

Proud to geek out. Follow to join our +1.5M monthly readers.