Adaptive Authentication
What is Adaptive Authentication?
Adaptive AuthenticationAn authentication approach that adjusts the strength and number of factors required in real time based on signals such as device, location, and behavior.
Adaptive authentication evaluates contextual signals at sign-in and during a session to vary the credentials required from a user. Inputs typically include device posture, IP reputation, geolocation, network type, time of day, prior behavior, and threat-intelligence feeds. NIST SP 800-63C describes how relying parties can combine assurance levels with such signals, and products from Microsoft Entra Conditional Access, Okta, Ping Identity, and Cisco Duo implement the pattern with policy engines and risk scoring. A low-risk login from a managed device on the home network may pass with a passkey; a higher risk score (new device, anonymizing proxy, unusual time) escalates to MFA, blocks, or quarantine. Adaptive authentication is foundational to zero-trust access strategies.
● Examples
- 01
Entra Conditional Access requiring MFA only when the user signs in from outside the corporate network.
- 02
An Okta policy blocking logins from anonymous Tor exit nodes regardless of password correctness.
● Frequently asked questions
What is Adaptive Authentication?
An authentication approach that adjusts the strength and number of factors required in real time based on signals such as device, location, and behavior. It belongs to the Identity & Access category of cybersecurity.
What does Adaptive Authentication mean?
An authentication approach that adjusts the strength and number of factors required in real time based on signals such as device, location, and behavior.
How does Adaptive Authentication work?
Adaptive authentication evaluates contextual signals at sign-in and during a session to vary the credentials required from a user. Inputs typically include device posture, IP reputation, geolocation, network type, time of day, prior behavior, and threat-intelligence feeds. NIST SP 800-63C describes how relying parties can combine assurance levels with such signals, and products from Microsoft Entra Conditional Access, Okta, Ping Identity, and Cisco Duo implement the pattern with policy engines and risk scoring. A low-risk login from a managed device on the home network may pass with a passkey; a higher risk score (new device, anonymizing proxy, unusual time) escalates to MFA, blocks, or quarantine. Adaptive authentication is foundational to zero-trust access strategies.
How do you defend against Adaptive Authentication?
Defences for Adaptive Authentication typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Adaptive Authentication?
Common alternative names include: Adaptive access, Context-aware authentication.
● Related terms
- identity-access№ 940
Risk-Based Authentication (RBA)
An authentication strategy that computes a real-time risk score for each sign-in and varies the response — allow, challenge, or block — based on that score.
- identity-access№ 1103
Step-Up Authentication
A pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for.
- identity-access№ 216
Continuous Authentication
An approach that keeps validating a user's identity throughout the session — using behavioral and device signals — rather than authenticating only once at login.
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
- identity-access№ 519
Impossible Travel Detection
A detection that flags successive sign-ins from geographic locations too far apart to be reached by any plausible travel within the elapsed time.
- identity-access№ 090
Behavioral Biometrics
A continuous-authentication technique that profiles unique user behaviors — typing rhythm, mouse movements, gait, or touchscreen gestures — to detect impostors.