Adaptive Authentication: Why? What? How?

‘Adaptive Authentication’ is a buzzword in today’s industry. If you feel the combination of ‘adaptive’ + ‘authentication’ is a technical jargon, this is the place you can understand it simply.

Let’s dive into the depth from the surface.

Origin of Adaptive Authentication:

In this evolving technical era, it is a great challenge to secure data of a particular application just with traditional username, password method. Multi-Factor authentication (MFA) is a solution to be used instead. Then, the user needs to provide at least two factors to access the application. It can be a combination of the following factors:

Something you know : Username, Password, PIN

Something you have : One-time Password(OTP), Smart phone

Something you are : Finger print, Face recognition, Voice recognition

But there is a trade-off between security and usability.

Let me explain it in simple.

Imagine you have kept a valuable diamond in your house. In order to protect it, you put a door which can be unlocked with a unique key.

Here security is low because any robber has to find just one key or just break one door to steal the diamond, and usability is high because you can enter the house easily by opening one door.

If you add more doors and gates to increase the security, you feel difficult when entering the house which means the usability has degraded.

Similarly, if MFA is there, every time the user has to go through so many hassles to enter to the application. So, a method of tightening the security level with less impact on the usability was crucial.This is the place where adaptive authentication comes into the picture.

What is adaptive authentication?

This is what says as adaptive authentication;

Adaptive authentication is a way that two-factor authentication or multi-factor authentication can be configured and deployed. It’s a method for selecting the right authentication factors depending on a user’s risk profile and tendencies — for adapting the type of authentication to the situation.




Adaptive means: make(something) suitable for the situation

Authentication means: The process or action to prove something/someone is valid

So, adaptive authentication means the authentication process gets adapt according to the criteria which measure the user’s trustworthiness.

In adaptive authentication, the user can easily access the application if he/she is a trusted user, and the additional security layers are added against the untrusted users. So, there is no big harm to usability :) points out there are three ways that adaptive authentication could be configured depending on the Identity Providers’(IDP’s) capabilities:

  1. One can set static policies defining risk levels for different factors, such as user role, resource importance, location, time of day or day of the week.
  2. The system can learn the typical activities of users based on their tendencies over time. This learned form of adaptive authentication is similar to behavioral correlation.
  3. A combination of both static and dynamic policies.

Let’s see some factors that IDPs consider for adaptive authentication:


You may have experienced the two-factor authentication(2FA) when you log into Gmail using a new device. It doesn’t require 2FA when you use the same device to log in. Likewise, IDPs checks the device, user agent(browser) being used is familiar and known.


Every user login to an application from specific locations such as from home, workplace or within the hometown. If any login attempt is detected from (blacklisted country) or unfamiliar location, IDP can add an additional security layer.


Here IDP measures is there any method of travel that would let the user to travel the distance between the current login location and where he/she last logged in within the time between those two logins. If the time difference is not enough to travel between that two places, the current login is suspicious.

For an example, if a user first login to an application from Colombo- Sri Lanka and after 30 min there is a login attempt from New York is not valid anyway. So, IDP can prompt MFA in such situations.

Hope now you have an idea on adaptive authentication!!!

Happy reading :)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Anuradha Karunarathna

Senior Software Engineer@ WSO2 | Computer Science and Engineering graduate@ University of Moratuwa, SriLanka