Adaptive multifactor authentication is a security mechanism intended to authenticate and authorize users through a variety of contextual authentication factors.
Adaptive MFA essentially poses different sets of authentication requirements based on the user group attempting to access the application or data, as well as the risk profile or risk level involved in those users' access.
Adaptive MFA is sometimes called risk-based authentication.
Adaptive MFA takes this process further by coupling MFA practices with security policies and a dynamic, or adaptive, assessment of context and risk.
Adaptive MFA would look at the security policy for that user and group, then determine that access should be granted on the local area network during regular weekday business hours.
If a login attempt is made outside of those criteria - on a weekend, outside of normal business hours, from an IP address not on the LAN, or involving multiple incorrect password attempts - the adaptive MFA system might determine a higher risk assessment that is outside of the established risk profile for that user.
An adaptive MFA system might impose different security challenges for different user groups, elevating the complexity or scope of security challenges based on risk.
The fundamental justification and purpose of adaptive MFA is to improve enterprise security by ensuring only authorized users can access business applications and data.
Adaptive MFA can pose fewer challenges for users that behave in expected ways.
For the clinician example, adaptive MFA might allow a doctor to log in once or only every few hours during the day.
Adaptive MFA works by coupling the authentication process with a risk analysis.
It's important to note that adaptive MFA operates throughout the users' login session, not just during the initial login.
Sensitive roles will receive more scrutiny from adaptive MFA systems.
When a user's interactions raise their risk score, an adaptive MFA system might require additional information to complete or update the authentication process.
There are few formal guidelines or best-practices for creating an adaptive MFA policy.
Several practices can be implemented as a starting point for adaptive MFA policy.
Adaptive MFA providers will typically provide a default policy that dictates basic adaptive behaviors.
Adaptive MFA is a relatively narrow security function with one principal goal: impose security requirements or responses that are appropriate for a given risk level.
An adaptive MFA policy should be created and reviewed by a collaborative group of IT, business and legal leaders to ensure the resulting policy can be implemented while meeting the enterprise's business goals and regulatory/compliance obligations.
An adaptive MFA policy should be reviewed periodically to ensure it continues to meet business and legal requirements while employing new and emerging technologies to further enhance security while reducing user friction.
This Cyber News was published on www.techtarget.com. Publication date: Thu, 07 Dec 2023 22:13:04 +0000