IAM

Intelligent Adaptive Authentication: Everything you need to know

Hey you! yes, you!! Is it really you? That’s the question you get indirectly asked each and every time you click on a login, or a sign in button. Logging in into accounts is something we all do many times a day, at many different places on many different devices. 

How do we log in into our various accounts on the internet? Enter the username, then the password, then click login. Simple as that. But what if your username and password got compromised? What if there was a data breach and your credentials were leaked? What’s the solution for that? Then the solution will be to enable a two factor authentication method like SMS one time passwords. But is it really safe? SMS is an age old protocol which sends data unencrypted. They can be intercepted even before they reach the user’s mobile. So to be really safe in today’s complex world just two factor authentication might not be sufficient. 

To overcome this,  the solution is to use multi factor authentication which adds more steps before a user is authenticated. But facing so many steps before the authentication might drastically reduce the user friendliness of the system. That’s where the Adaptive Authentication comes into play.

The below index shall be followed:

1. What is adaptive authentication and why use it 

Adaptive Authentication is a way that multifactor authentication can be implemented to select correct authentication factors based on a risk profile and patterns for adapting according to the situation. For a low risk situation it might use basic username password based authentication, while for a higher risk situation it might prompt the user for another step of authentication. 

Authentication steps usually belong to 3 categories:

  • Something you know such as username and password.
  • Something you have such as an OTP.
  • Something you are such as face, or fingerprint.

Multi factor authentication is done by combining two or more of the above factors. But using all the factors all the time can reduce the usability of the application or service. Adaptive authentication can decide which and how many steps need for a user to be authenticated depending on the situation.

Adaptive authentication policies can be deployed in 3 ways: 

  1. They can be manually set up by a system administrator. The admin defines a risk level for different authentication factors based on user role, user location or the importance of the service which is being protected.
  2. Giving the system the capability to identify the user’s typical behaviour pattern over the time and use authentication factors based on that. As an example a user logs in to the system from a one country or a geographic location for a long time, and if the login request suddenly comes from a different geographic area, the system will adapt to the situation and use more factors to authenticate the user. 
  3. Use a combination of static and dynamic policies by using both above methods.

Adaptive authentication works based on a user profile. The profile consists of users geographical location, devices the user usually uses to log in, user’s role and many other related information. Each time a user tries to log in, the system will calculate and assign a risk score for the request based on the user profile. Using this risk score, the system decides the minimum amount of authentication steps needed to validate the user.

More accurately the system identifies a situation, helps it determine a more accurate risk score. That leads to an adaptive authentication system which is user friendly and more secure. This is where the intelligent adaptive authentication comes into the picture.

2. What is intelligent adaptive authentication (IAA)

An Intelligent Adaptive Authentication (IAA) system takes calculating risk to another level. As an example a user has a registered device. That device would be considered as a trusted device from the system. Then an intelligent adaptive authentication system would identify that the device is rooted/jailbroken and since can not be trusted even if it was the same registered device. Then it will assign a higher risk score for the login request coming from that device and set authentication steps accordingly. 

An intelligent adaptive authentication will be always collecting users behavioural information. As an example, data such as from which geographic  locations the user usually logs in, and at which times of the day a user logs in across all platforms and devices will be collected. Then all these data will be used to create behavioral models and risk profiles. To make these accurate behavioral or risk models and calculate risk scores, some intelligent adaptive systems even make use of machine learning techniques.

3. How Intelligent Adaptive Authentication Works

Intelligent Adaptive Authentication is a combination of authentication and machine learning technologies. This usually involves a robust risk analytical engine powered by machine learning to assess a user’s risk profile. This starts with collecting user or groups of users behavioral and other relevant comprehensive data from various digital sources and third party data sources like fraud/risk detection tools as well. Here behavioral data is really important, because it helps better understand a user’s natural habits, so that any deviation or abnormalities could be detected from known patterns.

Generally, gathered data is integrated with a real time risk analytics engine powered by machine learning plus custom rules to run accurate risk assessments. Specially machine learning algorithms are used to identify new fraud schemes, anomalous patterns of activity, or suspicious activity for a single user or group of users. With the processing of data with machine learning, a risk profile score or a similar mechanism is used to determine the next steps of the authentication process. Subsequently depending on the determined risk profile score or other mechanism, authentication steps/actions will be dynamically applied to users authentication process and users are required to comply with those steps/actions to complete the authentication process.

4. How intelligent adaptive authentication enhance conventional adaptive authentication

Conventional adaptive authentication would be powerful enough to identify the associated risk and provide the user with appropriate levels of authentication in day to day scenarios. But the real question is, does it really address all the challenges and issues such as usability, security, efficiency, compliance etc. while providing optimal security. This where the intelligent adaptive authentication comes in handy. 

Unlike conventional adaptive authentication mechanisms, intelligent adaptive authentication is somewhat based on many pre-processed factors and heavily trained machine learning models which can provide more accurate and most suitable results. This uses a broad range of inputs and additional data to calculate risk scores and determine the most appropriate security action for a given situation. It is quite proven that intelligent adaptive authentication offers not only the appropriate level of security but also the users with seamless user experience with today’s constantly evolving security risks.

5. Real-World Scenario using IAA

Let’s take a look at a real world scenario where intelligent adaptive authentication can be put into use

Tom lives and works in central london. He resides in his own house with his family. There’s a supermarket and a few ATMs near his house. His normal routine in which he withdraws cash from those ATMs when he visits the supermarket or on the way to his office. Also he spends his money using a combination of credit and debit cards at various locations around the city.

Let’s say for an example, Tom’s bank core banking system is equipped with an intelligent adaptive authentication component and whenever Tom makes a transaction following background steps take place.

Step 01: 

When Tom makes a transaction, an intelligent adaptive authentication component in the banking system collects relevant data including geo-locations, device and integrity of the device used for the transaction, duration and time which the transaction takes place and other contextual data. Meanwhile it collects data on Tom’s behavior across digital channels to build an accurate model of the user. And these systems always collect behavioral data to better understand user’s habits and behaviours, so that system is capable of detecting transactions deviating from these known patterns.

Step 02: 

As the next step, the system makes use of existing data from different sources like history data or third party systems data like fraud detection systems, various security systems etc to model a more complete picture of the situation.

Step 03: 

With all the data surrounding the transaction, the banking system uses a combination of machine learning algorithms to identify new fraud schemes, anomalous patterns of activity, or suspicious activity for a single user or group of users to determine their risk profile score to decide on the authentication steps which the user needs to follow to complete the transaction.

Step 04: 

In this step, With the risk profile score as a guide, the authentication steps are dynamically applied to the transaction process in real time. If additional security measures are considered necessary for this transaction, Tom must take necessary actions and he is prompted to authenticate himself in one form or another to be authenticated in the banking system

However, it’s quite important to understand that this transaction may be determined to be within Tom’s normal pattern of behavior. In that case, no additional security steps will be initiated.

-You may also be interested in this tutorial: BUILDING GREAT CUSTOMER EXPERIENCE WITH CIAM FOR BANKING & FINANCE SECTOR –

6. Conclusion

From the above example scenario it becomes very clear how intelligent adaptive authentication works. It highlights when and where adaptive authentication can be applied. With ever evolving and rapidly developing machine learning and artificial intelligence technologies, adaptive authentication can become more and more intelligent in identifying risk factors, different situations and calculating risk scores

Internet service usage is increasing day by day. There are more users signing up for numerous online services each day. With the increasing usage of the services, internet fraud also picks up. Hackers are finding more and more complex ways to breach systems, or breach user data. Therefore the importance of proper authentication mechanisms has become paramount in today’s world.

With the help of machine learning and artificial intelligence, next generation intelligent adaptive authentication systems will be able to not only prevent threats when something is actually happening, but they will be able to anticipate threats and get the counter measures ready even before someone tries to log in to a system. With all these examples, it becomes very clear that intelligent adaptive authentication is the way forward, and it can significantly increase the security of the internet services without compromising usability. Usability and security !!! It’s a win win for service providers and users.

Live Webinar - Overcome COVID-19 Challenges in Banking & Finance with WSO2 IAM Solutions - December 3rd. 3.00 PM to 4.00 PM IST
Written By

Thimitha Gamage & Nuwan Rupasinghe

Senior Sotware Engineers