Is your user autentication “good enough”? | Source: Pexels

The CXO’s guide to adaptive authentication

CYBERSECURITY is the need of the hour and businesses need to make sure that digital gateways to their systems are protected, whether providing access to customers or employees.

As a customer or an “end-user” on the internet, you might have noticed that some sites, typically those providing you email or banking services, ask you to secure your account using multi-factor authentication.

The reason that is, is because analysis has revealed that a significant proportion of hacks are a result of users being careless about their login credentials.

They typically ask you to enter a code that they send to you via a mobile app, a token, or a code generator on your phone.

Sometimes, more advanced digital platforms will require more kinds of authentication like a passphrase, a biometric ID or something similar.

While these security features are becoming more and more common and add an extra layer of security to an account, they hamper the user experience.

Imagine forgetting your (already complicated alpha-numeric) password (with special characters) and then realizing that you don’t have a decent network on your phone – so the PIN doesn’t arrive via SMS on time. And when it finally does, the session has timed-out. Has happened to most of us, hasn’t it?

However, what if there was a way to maintain that level of digital security without compromising the experience? You can, with adaptive authentication.

How does adaptive authentication work?

Let’s get to imagining things again. Imagine a world where you go to your desk at home or office, key in your password on your laptop, and are granted access to your mailbox or software instantaneously. However, if you go on a holiday, the mailbox or software just “finds out” and asks you for extra help authenticating your identity?

Wouldn’t that be awesome? That’s exactly how adaptive authentication works.

So long as the user is using the same device, the same network, and is in the same geographic location and accessing the account within usual hours, access is granted instantly. Change one of the variables – and you’ll raise red-flags requiring more security measures.

What throws up red-flags for adaptive authentication?

Varying any of the ordinary variables that contribute to and ordinarily confirm a user’s identity will lead to a red flag.

That was a mouthful, right? Let’s make it simpler.

  • Say you work in Singapore from 8:00 AM to 6:00 PM SFT
  • You sign into a “product” that is secured using adaptive authentication
  • You’re not asked for anything other than your password
  • You sign out at the end of the day
  • BUT you leave your laptop and your internet running
  • Now, imagine there’s a break in and the thief has your credentials for the “product”
  • The thief, with your device, network, and credentials, tries to log-in
  • Their attempt will be thwarted as the “product” will ask for additional authentication
  • This is because the product is being accessed at an hour that’s outside of regular hours

Now, imagine you travel to Hong Kong and try to sign in, you’ll still be asked for additional authentication. Or, if someone in Hong Kong tries to sign in, even with the right credentials, they’ll be asked for additional authentication.

How does biometrics fit in with adaptive authentication?

Okay, this is the exciting part. For the purposes of adaptive authentication, biometrics can be categorized in two different ways.

One, you could have a physical biometric attribute attached to your credentials that can serve as the second layer/factor for authentication of your user profile.

Two, the interesting bit, is having behavioral biometrics run in the background to check if you’re scrolling, moving the mouse’s pointer, and typing in the way you usually do. If you’re not, you should ideally be “kicked out” of the system.

And this behavioral biometric can be tested each time you’re about to do “something important” within the system – turning this into a continuous authentication feature that transforms both security and user experience at the same time.

So, say you log into your bank account and then leave in a rush and in a split second, someone hypothetically takes your seat – continuous behavioral biometric security is what will prevent that “threat” from transferring funds out of your bank account.