Authentication is important to make sure users have the right access to systems and data. This protects sensitive information from unauthorized access and breaches.
However, a big challenge of modern authentication is balancing strong security with an easy login experience. Users should be able to log into applications or services without friction, but security can’t be an afterthought.
To address this challenge, you need the right architectural setup that centralizes authentication and provides more options—one solution is adaptive authentication.
The Need for Adaptive Authentication
Cyberattacks are constantly evolving, becoming more sophisticated and harder to detect. Attackers can leverage advanced techniques to bypass traditional security measures.
Some key trends driving the need for stronger authentication include the rise of credential-based attacks, advanced malware and ransomware, AI-powered threats, API and session hijacking, phishing attacks, and MFA bypass techniques.
At the same time, users also demand a seamless authentication experience. Lengthy login processes, frequent password resets, and excessive MFA prompts frustrate users and create fatigue. In a survey carried out by Storyblok in 2023, it was found that 60% of consumers abandon purchases due to poor website user experience.
What is Adaptive Authentication?
Traditional authentication relies on static, predefined authentication steps, typically requiring a username and password. Conventional authentication methods often include:
single-factor authentication, which refers to a user using a password to log in
multi-factor authentication, where the user has to provide two or more factors
two-factor authentication, a subset of MFA using two factors
However, these methods are insufficient because they don't consider important contexts that could impact the auth flow, like location, time of day, or device used.
Adaptive authentication takes traditional authentication further, dynamically adjusting security measures based on user behavior, risk signals, and contextual data.
By leveraging OAuth 2.0 and centralized authentication, organizations can implement adaptive authentication efficiently while maintaining a seamless user experience.
Example: Location-Based Adaptive Authentication
Let's see how a financial organization could implement adaptive authentication to harden logins and protect against threats — without negatively impacting the user's everyday experience.
Normal Login: The customer authenticates with their normal main factor, such as a password. The system recognizes the device, location, and typical behavior. Since no risk signals are detected, the system authenticates the customer with just a password (or Single Sign-On if enabled via OAuth 2.0).
Suspicious Login Attempt: The same customer attempts to log in from an unfamiliar device in a different city. The system detects this unusual activity and prompts for an additional authentication factor, such as an SMS OTP or push notification approval.
High-Risk Scenario: Someone tries to log in using the customer’s credentials from a location associated with recent cyber attacks. The system flags this as high risk and denies access outright or requires biometric authentication before proceeding.
Implementing Adaptive Authentication
OAuth 2.0, combined with OpenID Connect (OIDC), enables centralized authentication where applications delegate user authentication to an authorization server.
There are a handful of benefits to centralizing authentication with OAuth and OpenID Connect:
You can choose from many advanced authentication methods the authorization server provides and apply consistent security policies across all applications.
You can allow users to choose their preferred authentication factors.
Users authenticate once via the identity provider and gain secure access to multiple services.
OAuth tokens manage user session continuity without exposing credentials
Finally, you should be able to implement adaptive user authentication at any time without redeploying applications.
When you use OAuth, your APIs can play an important role in blending security with user experience. For example, APIs can allow frictionless access to non-sensitive data but require access tokens with high privilege scopes for more valuable data. When such a scope is missing, an API can trigger step-up authentication.
In addition, stronger authentication may be required (e.g., MFA) based on context (e.g., logging in from an untrusted device), and login patterns are monitored, prompting additional verification if unusual behavior is detected. A risk level is applied to authentication requests, and security measures are adjusted accordingly.
Adaptive Authentication in OAuth Workflows
When adaptive authentication is implemented in OAuth workflows, the following scenario happens:
The application triggers user authentication on behalf of the user, and the authorization server enforces user authentication
The authorization server can also check factors such as location, device, and previous user behavior
The identity server issues tokens with minimal friction if the risk is low. If the risk is medium, the user is prompted for additional verification, and if the risk is high, the identity server either denies access or enforces stricter authentication.
When the user is authenticated, an access token is granted, and session behavior is analyzed for anomalies, triggering re-authentication if required.
By centralizing authentication with a customer identity and access management solution, you can provide context-aware access and support passwordless authentication and passkeys.
You can also leverage standards-based solutions like OAuth, OpenID Connect, and FIDO2, and use centralized logging and monitoring to track authentication patterns and ensure compliance with regulations like GDPR and PSD2 that require adaptive security measures.
The Goal: Reduce Authentication Friction
As cyber threats evolve, adaptive authentication remains a critical defense mechanism, enhancing security while maintaining usability by carrying out the right checks and the right situation. By combining OAuth, centralized authentication, and adaptive authentication, you can balance security and user experience, ensuring secure access while reducing authentication friction.
Top comments (0)