So what exactly is Adaptive Multi-Factor Authentication?
Introduction
With the explosion of apps and online services, strong security methods on authentication have never been so important. We’re asked for codes, references and other details to verify that we are who we say we are. But have you ever wondered what all of these different authentication mechanisms are and what they do?
Well, dear reader, it’s time to dig in and find out more. Based on a recent release from Gravitee.io’s API Access Management component, I was inspired to flesh out exactly what are Multi-Factor Authentication (MFA) and Adaptive MFA.
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication is an authentication approach that requires a user to provide at least two verification types (known as factors) to get access to a resource such as a website, a mobile phone app, or other services. Users will typically use factors such as one-time passwords (OTPs) delivered via SMS and email, or apps such as Google and Microsoft Authenticator.
What is Adaptive MFA and why is it useful?
MFA is extremely important, especially when dealing with sensitive data or accessing special services such as organizational operational data, personal information, and banking.
However, continuously requiring authentication with MFA can start to feel very burdensome. In certain situations, continuously requesting an individual to provide codes from a mobile phone, or extract information from an email may become too much, and provide a poor user experience.
Adaptive MFA gives us the opportunity to balance the benefits of a strong security policy with improving user experience when they go through the authentication workflow, allowing for a more pragmatic process. For example, if we are confident that a user trying to authenticate from a specific geographic location is likely to be who they say they are, we can choose to skip MFA. Conversely, if a user has tried to log into their account a few times before they are successful, Adaptive MFA can spring into action and request additional authentication for this unusual behavior.
In summary, Adaptive MFA attempts to improve user experience whilst maintaining a great level of security. If the authentication platform thinks it’s you, it’ll keep to the conventional login workflow.
To provide an example, Gravitee.io’s API Access Management platform currently supports the following for Adaptive MFA:
- Geographical IP.
- Number of login attempts.
- Evaluable Execution Context — injectable variables such as request parameters, so if someone comes from a certain domain we can skip MFA.
Remember my device (please!)
Another thing we can do to pragmatically cut down the number of times MFA is requested on a specific device is to consent to having our device remembered for a period of time. When a user goes through the login process, they are presented with the option for their device to be remembered. If they opt in for this, then for a specified number of hours/days their device will be remembered, and the user will not be prompted for an additional factor for authentication, thereby improving the overall login experience. Note that Adaptive MFA is still well and truly in the picture and, as discussed above, should unusual behavior be spotted, it will override the request to remember the device.
So how does it work? Due to concerns around how personal data is handled, you don’t want to keep a direct record of your device. So when you go to the login landing page, the Device Identification plugin will run and generate a unique, non-personalized identifier for your device. This identifier is then persisted on the Access Management server, and checked each time the user logs in. Once the expiration date for the remember my device is reached, the data is completely erased. There is also an option for the service provider to implement their own device identification plugin.
But my phone is all the way downstairs…
MFA alternative verification methods are also supported. The provider of the service can allow a user to enroll with a specific factor, e.g. Google Authenticator. They can also allow a number of different factors for the user to choose to authenticate themselves with, e.g. an email. In this way, as the user goes through the login flow, and for example, doesn’t have access to their phone, they can choose another factor that is more convenient to them.
Additionally, the service provider can use the Self-Account Management API to build out a bespoke front end for their users. The user can then manage their own account to see what MFA options they have enrolled, as well as choosing which is their principal factor (the first authentication factor they’d prefer to use).
Wrap up
We’ve provided an overview of what MFA and Adaptive MFA are, and the powers they bring in, not only providing sound security around application and service access, but also the ability to apply a pragmatic and great user experience across the login flow.
