Guideline: Adaptive and continuous authentication

Introduction

Adaptive and continuous authentication are essential for strong identity and access management (IAM). By continuously assessing user risk and verifying identities, organizations can enhance security and improve user experience.

Adaptive authentication

Adaptive authentication involves adjusting authentication requirements based on real-time risk assessment. By evaluating factors such as user behavior, device characteristics, location, and network conditions, organizations can implement a risk-based authentication approach. Learn more about adaptive authentication and how Safewhere can enhance security and user experience.

The key considerations for implementing adaptive authentication are:

1. Risk assessment: Establish clear criteria for determining risk levels, including user role, data sensitivity, access time, and geographic location.
2. Authentication methods: Define a range of authentication methods (e.g., password, OTP, biometrics) and corresponding risk levels.
3. Step-up authentication: Implement mechanisms to increase authentication strength for high-risk transactions or users.
4. User experience: Balance security with usability by providing clear communication about authentication requirements and avoiding excessive friction.

Next, we will explore the tools available in Identify to implement adaptive authentication.

Authentication methods

If you want to allow users to log in using an upstream Identity Provider and offer the following MFA methods:

1. TOTP authenticator
2. Biometrics: Biometrics, like fingerprint or facial recognition, provide a higher level of security by requiring a unique physical trait.

Both options can be combined with the first factor Identity Provider to ensure security while allowing flexibility based on user preferences or risk levels. Key factors include:

• Risk criteria:
  1. User role and data sensitivity: A user viewing their profile may only need one factor, but updating profiles might require a second factor, like TOTP. Administrative users making system-wide changes may require biometric authentication. You can learn more about this setup at support level of assurance per MFA method.
  2. IP location: Conditional access policy can trigger the second factor for logins from unknown or high-risk locations.
  3. Device trust: If a user accesses from an unrecognized device or network, step-up authentication can be triggered. Users can register a device tto bypass the second factor for a set number of days, or an access policy can check for a secure cookie in the user’s browser.

Using adaptive and continuous authentication helps balance security with user convenience. Step-up authentication ensures extra protection when risks are high, while allowing trusted devices to reduce friction in low-risk situations.

Extra resources:

• For a detailed guide on writing, testing, and applying policy scripts, refer to this step-by-step guide: How to Write and Apply MFA (2-Factor) Authentication Policy Script.

Continuous authentication

Continuous authentication involves verifying a user's identity throughout a session. By analyzing behavior and device data, organizations can detect anomalies and address threats.

Key considerations for implementing continuous authentication

1. Behavior profiling: Establish baseline user behavior patterns to identify deviations that may indicate unauthorized access.
2. Anomaly detection: Implement algorithms to detect unusual activities such as rapid data transfers, logins from unfamiliar locations, or password changes.
3. Risk-based actions: Define appropriate responses to detected anomalies, such as session termination, password reset, or multi-factor re-authentication.
4. User privacy: Ensure that continuous authentication methods comply with privacy regulations and protect user data.

Examples of when to force re-authentication include:

1. Step-up: For example, if a user tries to access a high-security feature, you may want to force re-authentication with a higher security level.

2. Idle period: After a prolonged period of inactivity, it’s good practice to require users to re-authenticate to ensure their session remains secure.

3. Location change: If the user's location changes drastically (e.g., they suddenly log in from a different country or region), re-authentication may be necessary to verify their identity.