Keith Graham of SecureAuth was recently interviewed for a recent article on TechRepublic, and the subject of adaptive authentication came up. He defined adaptive authentication this way:
“Adaptive authentication involves evaluating risk around the login process before the user even authenticates so that the system only steps up, or outright denies, the authentication when it deems a logon as a risk. Hence, it adapts to a user’s profile based on the threat it perceives that person poses.”
Additional factors that could be used to to validate a user’s identity during login are:
- Device identity – the service you are logging into recognizes the computer, tablet, or device you are using as being the one you have used in the past. When you would try to log on with a new device, the service would redirect your login session to a more vigorous set of proofs, like answering the secret question, or texting an authentication code to a second device, like your smart phone.
- IP address – this is in use already in some cases, such as Facebook. The service recognizes the Internet address of your location, and uses it to confirm your identity. Logging on at a new location would require a more thorough set of authentication proofs.
- Geo-location – this would involve using your know physical location to provide part of the authentication package.
- Geo-velocity – this is a little different in that the service would look at your last location and the time between sessions to determine if you could reasonable be in both places with in the time allowed. For instance, if you logged in in Chicago at 10 a.m., it would not be possible for you to log in from Moscow an hour later. This method has been used by credit card companies for years to sniff out fraudulent transactions.
Some services are already using these. I’ve seen it used by Facebook and Google quite often, and I am pretty sure my online banking is using some of this information. In any event, you can expect to see changes coming to the places where you use authentication, and most of these changes will not make it easier or more convenient. But they are necessary to protect you and your online life for the criminals working the Internet.Share