Adaptive authentication, also commonly referred to as risk-based authentication, is an authentication paradigm that attempts to match the required authentication credentials to the perceived risk of the connection or authorizations requested. The objective is to try to reduce the authentication burden on users and provide a better experience on the one hand, while enforcing strong authentication where it is most needed on the other.
For example, a user connecting via VPN from his known home network using a company-managed PC will not be required to present any additional authentication credentials beyond those provided by his PC because the connection request is not perceived to be high-risk. A connection from an unknown WiFi during “odd” hours of the day would require the user to produce additional authentication in the form of a password, OTP, or both, because the connection exhibits risk indicators that elevate the perceived risk.
In a consumer context, a user shopping on a merchant app will not be required to present any credentials when accessing the application or adding items to the cart, because these operations pose little risk to the merchant. During checkout, the user would typically be required to present a password or some other credential because it is perceived to be a high-risk operation.
An online banking user will be required to present only a username and password to access her account, but when trying to transfer funds to another account, the user would have to respond to challenge questions or enter an OTP code from the bank-provided OTP key fob.
Adaptive authentication policies can look at any number of factors when determining the potential risk of a connection or operation. Policies typically look at the device from which the request is made, the network, its geo-location, time of day and more. Policies also look at the types authorizations that will be provided to the user – authorizations to carry out more sensitive operations will require stronger authentication.
Trust is determined by the level of authentication required. When the user produces strong, hard to forge authentication credentials then trust levels are elevated relative to a user that produces a simple password.
No, privileged access management (PAM) is not a type of adaptive authentication. PAM handles privileged credentials and therefore often requires users to provide strong forms of authentication to access the PAM-managed credentials. PAM may or may not implement adaptive authentication concepts when granting access to privileged credentials. PAM and adaptive authentication can coexist, as PAM may implement adaptive authentication concepts when controlling access to credentials that it is managing.