Demystifying Adaptive Multi-Factor Authentication
Hey there! since you have stumbled upon this article, I’m assuming you probably heard the phrase “Adaptive Multi-Factor Authentication” and are now wondering what the heck it is!
Fret not thyself stranger, because I will explain it to you.
Multi-Factor Authentication (MFA)
Let’s first talk about multi-factor authentication. When something is secured by MFA, it means you need to prove your identity in two or more different ways (called authentication factors by the folks in the biz) to access it.
Let me give you an example:
Okay, let me give you an actual example:
Here, the user first has to enter their email and password (First authentication factor) and then enter the one-time password (OTP) from either TOTP, SMS OTP, or Email OTP (Second authentication factor) to access the application.
The main goal of MFA is to provide an additional layer of security to the resource so that even if one authentication factor is compromised, an attacker still has at least one more barrier to breach before successfully breaking into the resource.
Feel free to read this article if you want to know more about MFA.
Security vs User Experience (UX) of MFA
In the traditional MFA, additional security comes at the cost of the user experience. Think about a scenario where a user tries to log into a system, but they have to prove their identity in five different ways. Each additional authentication factor will provide an additional layer of security. But the user probably will look like this guy.
This is where adaptive multi-factor authentication comes into play.
Adaptive Multi-Factor Authentication
Adaptive multi-factor authentication is simply an extension of traditional MFA, where the authentication flow can be dynamically adapted to the level of risk associated with the user’s login attempt and the configured business rules.
Let’s look at a simple example:
The user enters their email and password as the first authentication factor. Then the identity provider (which is in charge of adaptive MFA flow) evaluates the risk of the login attempt based on the device used in the login attempt.
- If the login attempt came from a device that has not been used previously by the user to log into the application, the identity provider considers it a high-risk login attempt and prompts TOTP as the second authentication factor.
- If the device has been used previously by the user to log in, the identity provider considers the login attempt as low-risk and allows the user to access the application without a second authentication factor.
As you can see, adaptive MFA makes the login process more secure while being less of a hassle for the user. We no longer need to have a trade-off between security and user experience!
TL;DR
- With multi-factor authentication(MFA), you need to prove your identity in two or more different ways (authentication factors).
- There is a trade-off between security and user experience in traditional MFA.
- Adaptive MFA was introduced to break this trade-off by providing more security while being less of a hassle for the user.
- It does this by dynamically adapting the authentication flow based on the level of risk associated with the user’s login attempt and the configured business rules.
Alright, That’s it for now! I hope you got some idea about what adaptive multi-factor authentication is. Let’s talk about how we can leverage this concept of adaptive MFA to do some really cool stuff in the next article.