Thank you (MFA), next.
Disclaimer: I do not like Ariana Grande. I just wanted a fun title.
We love passwords, don’t we? Truth be told, I used the same password for all my applications but with slight tweaks. I have also written my passwords down on a sticky. I will also confess that I hate deleting cookies or even clearing my cache because I can’t keep track of them all. Once I tried to change my password, turns out I knew the right one all along. Passwords have been a thing since “open sesame” and we’re trying our best to move away given the inconvenience.
This is why Single Sign On (SSO) and identity federation (BYOID and using social logins) is great a experience for users. But till you get to that point, your apps need to recognize who you are. This is called authentication, where an application needs to validate a user’s identity before granting access. But a username and password is no longer able to provide adequate security.
This is why multi-factor authentication (MFA) felt like such as blessing with its emergence. It’s the concept of using:
- What you have
- What you know
- What you are
in order to authenticate when logging into a system or an application. Financial companies got in on the bandwagon of issuing a physical token so you use the code or information that’s prompted to gain access to one’s account, in addition to using or user name and password to. MFA was great, for awhile, also because it was quite secure.
But here’s the downfall.
- Hardware isn’t fun to carry around
- Security questions are fine till someone checks your Facebook account to know what your pet’s name is or mother’s maiden name is
- Unless you’re a privileged user, an average user won’t need tight security to access certain resources
- Vulnerability to attacks
So while the security factor was fine to a certain extent, it didn’t score well on the usability front. From the the point of identity administrators, MFA was a restricted when it came to the authentication flow too.
Hence the evolution towards adaptive authentication . A lot of products I’ve noticed call this smart, intelligent or adaptive MFA. So it necessarily isn’t a “replacement” of MFA but an “upgrade” using MFA methods that gives a better experience.
Here’s a better definition.
Adaptive authentication is the use of context such as user’s risk profile/behavior & identity attributes, environmental attributes, device type, geolocation to authenticate a user. This means, if person A wants to log in to application B, it will analyze the profile, IP address and such to authenticate a user than a restrictive number of steps that MFA would usually offer.
Recently my team mates from the WSO2 Identity Server team Thanuja Jayasinghe and Thiyagarajah Abilashini hosted an excellent webinar on adaptive authentication [Abilashini also cowrote this white paper on the same theme]. If you’re cut for time, here’s a quick tip. At 30:31 he will take you through a demo on how WSO2 Identity Server provides adaptive authentication. This would give you an overview of how WSO2 has implemented adaptive authentication from an identity administrator’s point of view.
The interesting part about how WSO2 Identity Server provides adaptive authentication is that it offers ready-made scripting templates. This way identity administrators have easy and full control of the authentication flow. You’re also able to quickly integrate to external systems and risk engines and keep complex authentication policies much simpler.
Since you reached the end, I’m throwing a bonus. We’re hosting a webinar next week on why it might be a wise move to get yourself an upgrade from MFA to adaptive authentication. Till then, keep calm and authenticate!
