Curious about adaptive authentication? We explain what adaptive authentication is, how it works, and how a risk-based approach can reduce friction for users.

What Is Adaptive Authentication?

Adaptive authentication is a method of setting up different levels of multi-factor authentication depending on the risk associated with a login or transaction. Factors may include the following:

· User account
· User location
· Attempted action
· Device details
· Behavioral tendencies
· Risk profile

These and other factors are used to assess the context of a login or transaction and help differentiate legitimate customers and users from malicious behavior. The goal of adaptive authentication is to protect user accounts from hijacking and to prevent transaction fraud by requiring additional authentication when data indicates suspicious behavior.

Adaptive Authentication vs. Standard Authentication

The main difference between adaptive authentication and standard authentication is that adaptive authentication changes in line with user behavior to prevent fraud and account takeovers, not legitimate transactions.

Standard authentication simply looks for the correct username and password combination, while adaptive (or risk-based) authentication also looks at login location, device ID, number of failed logins, payment details, and dozens of other key data points.

Together these data points are used to generate an overall risk score for a login or transaction. If the risk is high, the user has to authenticate through another method such as two-factor authentication.

A few actions that could trigger adaptive authentication include the following:

● A high number of failed login attempts
● Login attempt from a new device
● Login attempt from an unknown IP address or location
● Changes to username or password
● Behavior that indicates a script is attempting the login rather than a human

Adaptive authentication is flexible and allows organizations to set their own risk scores based on their business objectives and risk tolerance. For instance, a customer mistyping their password once on a known device wouldn’t trigger a lockout or require additional steps.

However, a login from a new device in a different country would certainly raise some red flags and require the user to provide additional authentication to prove who they are.

By using adaptive authentication, organizations can protect their privileged accounts from compromise and safeguard their customer accounts from cybercriminals.

Why Do We Need Adaptive Authentication?

Even when a user does everything right, their credit card numbers, username, password and other details can still be stolen or compromised through a data breach. Websites that store credentials are continuously under attack by cybercriminals who sell stolen data in dark web marketplaces.

According to the Aite-Novarica Group, CNP fraud loss could top $17.2 billion by 2023. Meanwhile, account takeovers (ATOs) fueled by data breaches increased 850% between Q2 2020 and Q2 2021.

At the same time, customer expectations for instant, uninterrupted interactions and transactions
grow by the nanosecond. And many banks, card issuers, merchants, and others are challenged to meet and exceed these expectations while preventing fraud that can cost them millions.

The drivers for these forms of fraud include the following:

Stolen Accounts on the Dark Web

Criminals can buy thousands of stolen credit card numbers or login credentials for mere pennies each, and try their luck at breaking into accounts. With a simple script, an attacker can test thousands of credentials in a matter of minutes to see which accounts are still vulnerable.

Organizations without adaptive authentication will fail to see an attacker has access and only see a successful login or transaction. Even worse, criminals infiltrating corporate systems or email accounts can cross-reference archived messages or passwords to find additional services they can exploit to appear even more convincing.

It doesn’t help that many people use the same passwords for multiple accounts—including banking, retail, utilities, social media, and more. It also doesn’t help that they also tend to use easily deduced variations of the same 10 passwords.

Phishing Scams

Phishing scams are a leading cause of account compromise. Phishing is a fraudster creating fake messages from a trusted person or brand in an effort to trick the victim into entering their account information.

For example, fraudsters can send emails that look like an exact copy of a Microsoft Office password reset request or past-due notice from Comcast. When the victim clicks the link they are sent to a fake password reset page that looks identical to the real thing. If the user enters their information, it’s sent directly to the attacker.

According to the Federal Trade commission, phishing scams led to $5.8 billion in consumer losses in 2021— a 70% increase year-over-year.

Benefits of Adaptive Authentication

Adaptive authentication can prevent account compromise and fraudulent purchases by understanding the behavior behind a login rather than just relying on the correct username and password.

Adaptive authentication also offers other benefits such as the following:

Frictionless Authentication: Legitimate customers and staff are not slowed down or asked to authenticate again.
Continuous Improvement: Machine learning continuously learns from case management feedback, authentication results, and other intelligence to better distinguish friend from foe—meaning your system naturally improves over time.
Customizable Risk Scores: Organizations can tailor their adaptive authentication to balance their risk tolerance across different applications and products.

How Adaptive Authentication Works

Adaptive authentication works by collecting data on each user to understand their baseline behavior and other details. This can include what devices they use, where they log in from, payment information, and what their typical behavior is inside an application.

Machine learning works in the background to continuously collect data and calculates the probability of an event being fraudulent, given the known factors associated with a user and account.

When paired with modern data science, machine learning can take all factors into account and weight them according to relevance—adaptive authentication incredibly accurate and effective. Over time these algorithms learn from users and only require additional authentication when absolutely necessary.

Machine learning models can be trained to identify specific threats and tap into other shared data sources to get smarter each day. The scale and speed at which these systems operate rival any manual detection a human could ever do.

Each unusual or suspicious behavior adds to the overall risk score for the login or transaction attempt. Only when the scant few interactions or transactions that warrant additional scrutiny will prompt the user to authenticate through a challenge flow.

Secondary authentication can be customized by the organization with many different options:

● SMS verification
● Email verification
● Authenticator app
● FIDO U2F tokens
● Biometrics authentication (voice ID, fingerprint scan, etc.)

Organizations can also choose to add additional adaptive authentication measures to specific user groups, departments, roles, or activities.

For instance, if a user wants to change their banking information, the system could always require secondary authentication to continue. This is optional but helps demonstrate the flexibility that adaptive authentication offers.

How to Set Up Adaptive Authentication

Adaptive authentication relies on complex data science, machine learning algorithms, and global data networks to function. Organizations use third-party providers to integrate adaptive authentication into their businesses.

Organizations can choose from a number of step-up authentication methods for each of their products and tailor their authentication to reflect their risk tolerance and business objectives.

When choosing a partner for your adaptive authentication, look for the following features:

● Frictionless flow authentication
● Powered by machine learning
● Simple policy management
● A global intelligence network
● Case management options for manual investigation

Outseer: Stopping Fraudsters, Not Customers

Outseer provides seamless fraud protection that defeats both fraud and user friction at the same time.

By leveraging intelligence from 20 billion annual transactions across 6,000 institutions contributing to our global data network, our identity-based science prevents 95% of all fraudulent transactions and interactions, with intervention rates as low as 5%. That’s the best performance in the industry.

By seeing what others can’t, we stop fraud long before a transaction ever occurs. With fewer false positives and less intervention, you’re able to deliver better experiences and happier customers. And we’re constantly improving our modeling to ensure the best outcomes every time.

To learn how you can protect your customers through the power of frictionless fraud prevention, request a free demo today.

Nir Moatty

Vice President, Global Solution Consulting

Nir is an experienced executive with a passion for the software industry and has been engulfed in it for more than 13 years. Throughout his career, he has managed numerous teams, either field related, impacting Product Strategy, or technology related impacting execution. He’s managed and directed engineer teams in the development of biometric authentication, fraud detection, adaptive authentication and more. Currently, he works with partners and customers to provide the best approach and solution that will yield the most effective results.