Adaptive Authentication To The Rescue

password1Keith Graham of SecureAuth was recently interviewed for a recent article on TechRepublic, and the subject of adaptive authentication came up.  He defined adaptive authentication this way:

“Adaptive authentication involves evaluating risk around the login process before the user even authenticates so that the system only steps up, or outright denies, the authentication when it deems a logon as a risk. Hence, it adapts to a user’s profile based on the threat it perceives that person poses.”

Additional factors that could be used to to validate a user’s identity during login are:

  • Device identity – the service you are logging into recognizes the computer, tablet, or device you are using as being the one you have used in the past.  When you would try to log on with a new device, the service would redirect your login session to a more vigorous set of proofs, like answering the secret question, or texting an authentication code to a second device, like your smart phone.
  • IP address – this is in use already in some cases, such as Facebook.  The service recognizes the Internet address of your location, and uses it to confirm your identity.  Logging on at a new location would require a more thorough set of authentication proofs.
  • Geo-location – this would involve using your know physical location to provide part of the authentication package.
  • Geo-velocity – this is a little different in that the service would look at your last location and the time between sessions to determine if you could reasonable be in both places with in the time allowed.  For instance, if you logged in in Chicago at 10 a.m., it would not be possible for you to log in from Moscow an hour later.  This method has been used by credit card companies for years to sniff out fraudulent transactions.

Some services are already using these.  I’ve seen it used by Facebook and Google quite often, and I am pretty sure my online banking is using some of this information.  In any event, you can expect to see changes coming to the places where you use authentication, and most of these changes will not make it easier or more convenient.  But they are necessary to protect you and your online life for the criminals working the Internet.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.