Imagine you’re the security guard at an apartment building. Residents badge in and out every day, saying “hi.” Over time, you get to know who’s who – their names, voices, and even when they walk their dogs.
So when you see Harvey from 10B wearing that same old red coat, tangled in his beagle’s leash and fumbling with his key, you buzz him right in. What about when a new face shows up? Well, then you ask for ID, confirm they’re on the guest list, and make them sign the log.
When you move that metaphor online, everything gets harder. Your customer identity and access management (CIAM) system becomes your proverbial security guard – except they can’t see who’s on the other side of the keyboard.
If you’re running a consumer app or website, what can you do to let your Harveys in and keep imposters out? That’s where adaptive authentication comes in.
What is adaptive authentication?
Like its name suggests, adaptive authentication modifies the security hoops a customer needs to jump through to sign into their account based on how risky they seem and how sensitive the actions are that they’re trying to take. It’s also sometimes called “adaptive trust” or “risk-based authentication,” and is considered to be a type of multi-factor authentication (MFA).
MFA has gone mainstream over the last few years in response to regulatory standards and risk-averse CISOs, but many brands currently implement it as a binary. It’s either on or it’s off. No in between.
True adaptive authentication – like the risk it mitigates – operates on a spectrum. It opens up lots of new “in between” options by giving brands the flexibility to step security up or down based on their specific risk tolerance at any point along the customer’s journey.
How does adaptive authentication work?
Adaptive authentication works behind the scenes to figure out whether it knows the customer who’s logging in and to determine what the risk is before the customer actually signs in. That’s a tall task when you’re working in an online world. In order to make the call, most adaptive authentication systems use four types of signals:
- Device data – Has this phone or desktop logged in before?
- Network data – Is the login coming from a reputable IP address?
- Location data – Is the login coming from a trusted locale?
- Behavioral data – Is the activity happening during a day/time when this user tends to log in?
By analyzing this information and weighing it against the type of access the customer is requesting, the system comes up with a risk score. Based on that score, it might let the customer connect without a password at all – say, to browse items in an ecommerce experience. Or they may be prompted for a password – say, to update their credit card information on their account.
When enough flags get triggered, the customer may be asked to re-authenticate with a more secure method like two-factor authentication.
How adaptive authentication can improve the customer journey
It’s pretty easy to see how adaptive authentication can lower sign-in friction for customers – especially when they’re visiting low-risk areas on your website like shopping or bill pay. Eliminating hurdles makes it more likely the customer will fill their cart or pay their bill.
But adaptive authentication should really be applied throughout the customer’s online journey, introducing more friction as customers perform riskier actions. For example:
- Registration – Taking advantage of device biometrics like Face ID and fingerprint recognition can prevent identity fraud and also make authentication easier for future sign-ins.
- Authentication – Checking every user’s passwords against databases of known-stolen passwords and forcing password changes when necessary can prevent imposters from using password spraying attacks to break into your customers’ accounts.
- Password recovery – Stepping up security by requiring two-factor authentication when customers reset or recover their passwords guards against account takeovers.
- High-risk transactions – Requiring your highest level of authentication – like Face ID or even voice ID – when your customers perform their most risky transactions (like changing the beneficiary on an account or transferring large sums of money) prevents fraud.
Done right, adaptive authentication helps make both your security and marketing teams happy by keeping friction as low as possible while still mitigating risk. Since it evaluates risk based on signals that require no additional clicks or actions, customers face new security hurdles only when absolutely necessary.
The secret to adaptive auth: balancing user experience vs. risk
When mapping out your own adaptive authentication approach, it’s important to think critically about when, where, and why you need to place those security hurdles.
In addition to the four signals we talked about above (device, network, location, behavior), consider also what the user can do once they authenticate. For example, the risk is pretty low that a human attacker would log in and pay someone’s bill. So you can make that action easy, perhaps even allow customers to do it without logging in at all (assuming you confirm that the user’s not a bot).
Compare that scenario to a customer who’s trying to update their direct deposit account. In that case, the risk is higher so it’s appropriate to require another, more rigorous authentication.
One final factor to consider is your customers’ expectations. Not surprisingly, they vary by industry. Retail customers expect a fast and easy ecommerce experience, whereas healthcare and finance consumers expect – and may even appreciate – a more rigorous authentication process that reinforces their sense of trust in their online broker, bank, or health provider.
Settle for nothing less than … forgettable
Done right, adaptive authentication offers enormous ROI for marketing and customer experience teams that want more security but don’t want the sign-in friction that comes with always-on MFA.
Breaking away from the “all or nothing” approach is also a great way to stand out from the competition. Adaptive auth delivers an experience that reassures your customers in the right places while offering an utterly forgettable (aka simple) sign-in experience whenever possible.
At Strivacity, we think Harvey – from 10B, remember? – deserves a welcoming experience every time he comes home. If you’d like to learn more about how our platform enables adaptive authentication, you can read more here.
We’d love to help you make your customers’ day.