Adaptive Authentication
Flexible and secure way of authentication
Authentication is the process of proving a user’s digital identity to be true. Usually, applications use a username and a password for this authentication process. But most of the users don’t like to remember passwords as they have to remember several passwords for different applications. As a result, various other factors came into use, which can be categorized as follows.
Something user has — Mobile phone, email
Something user knows — Passwords, PIN numbers
Something user is — Fingerprint, Face Recognition
When the technology developed, the attackers came up with techniques to compromise the systems which use a single factor for authentication. To provide more security, application developers tend to use more than one authentication factor in their applications to verify a user that is called multi-factor authentication.
As the number of factors used for the authentication process increases, the security of the application is also increasing. But in practice, most of the users may not like to go through a lot of authentication steps to access a system. Therefore we need to balance security and usability. That is where adaptive authentication comes in.
Adaptive authentication supports developers to use a reasonable number of factors to authenticate while providing fair usability by considering the user’s risk profile and behavior. That means we can add more authentication steps if there is a greater chance of attacking a user account, and we can use just one or fewer number of steps if there is a lower chance. Several decision factors may affect this decision. Some of them are listed below.
- User Role Based Adaptive Authentication
An admin or a manager of an application has to deal with more sensitive data in the application compared to an ordinary application user. Therefore we can enable more authentication steps to the admin or manager and a single or lower number of authentication steps to the ordinary application user.
2. New Device Based Adaptive Authentication
If a user tries to access a system with a new device, we can request further authentication steps, and if it is the same device as previously, we can allow access to the system in a single step. You may experience this when you try to sign in to Gmail using a new device.
3. Login Attempts-Based Adaptive Authentication
We can add authentication steps to the authentication flow by considering the number of failed attempts before the first successful authentication step. As an example, if a user fails his first three attempts, we can add further authentication steps, and if a user succeeds within his first three attempts, we can authenticate the user with just one step.
4. Location-Based Adaptive Authentication
The number of authentication steps can be determined using the geographical location. If a user tries to access an application from a geographical location where the user is not usually accessed, we can include further authentication steps to verify the user’s identity.
5. Analytics-Based Adaptive Authentication
When a user tries to log in to an application, we can identify abnormal patterns and their impacts and add further authentication steps for the users with high-risk profiles. Machine learning is required for this risk analyzing part.
You can configure each of these adaptive authentication types using the script based editor in the WSO2 identity server management console. It is fully open-source, and you can download it free from here. WSO2 identity server provides proper documentation as well to guide you on how to configure adaptive authentication.
As my internship project, I am going to implement an adaptive authentication flow composer, a UI tool for the WSO2 identity server, where you can configure your adaptive authentication flow by drag and drop components without any prior syntax knowledge. In the upcoming blogs, I will be sharing more information on this and hope you enjoy them.
Thanks for reading.
