Authentication based on usernames and passwords is both insecure and cumbersome. Despite its shortcomings, it is still by far the most widely used approach for authentication. However, in the age of Cloud Computing and in times with ever-increasing cyber-risks, organizations need better ways for authenticating their users, that serve both the security requirements and the demand of users for a convenient, easy-to-use authentication.
Adaptive Authentication is the solution for these requirements. It allows organizations to implement a flexible yet strong authentication scheme across the broad range of applications they are running, be it on-premises or in the cloud.
Adaptive Authentication in the KuppingerCole definition is adaptive in two areas:
- It supports a variety of different authenticators and thus adapts to the needs of organizations and users. It is not limited to a specific type of authenticator, but allows changing and combining authenticators in a highly flexible manner.
- It is adaptive regarding the required level of authentication strength and identity assurance. Depending on the criticality of information and systems that are accessed, the minimum level of authentication varies, including support for step-up authentication e.g. by adding another authentication factor.
Adaptive Authentication is the umbrella approach, integrating concepts such as strong authentication, Two-Factor Authentication (2FA), Multi-Factor Authentication (MFA), and Risk-Based Authentication (RBA). It supports strong authentication through using multiple factors whenever required. It integrates the concept of RBA by identifying the context risk of users such as their location and mapping it to the required strength of authentication and identity assurance for a particular access.
The underlying concepts that are integrated within Adaptive Authentication are already in place and have been for a long period. 2FA has been available for decades and RBA is also established in certain use cases, in particular access to online banking. However, this is changing nowadays. An adequately strong authentication is understood as being mandatory for helping to mitigate cyber-risks, well-beyond specific use cases. On the other hand, organizations increasingly have learned their lesson that authentication must be convenient. Users are familiar with biometric authentication on their mobile phones and users want to use something that works smoothly with their device of choice. Thus, a higher degree of flexibility than ever before is required when it comes to supporting different authenticators, while on the other hand the need of some form of strong authentication is higher than ever before.
From our perspective, organizations of all kind must support the concept of Adaptive Authentication for both aspects of adaptiveness, i.e. the flexible support for different kinds of authenticators and the flexibility regarding the required level of authentication.
Thus, organizations must move from isolated, per-system approaches for strong authentication towards centralized authentication platforms supporting Adaptive Authentication to a variety of different applications, from on-premises applications to cloud services, VPNs (Virtual Private Networks), and the endpoints themselves.