Most probably the first thing that comes to your mind, when being asked about what should be highly secure when being done online is electronic banking. Your account data, your credit card transactions and all the various types of transactions that can be executed online today, ranging from simple status queries to complex brokerage, require adequate protection. With the criticality of the individual transactions varying substantially, this is also true for the required level of protection. This makes electronic banking the perfect use case for explaining and demonstrating adaptive authentication.
But creating an access matrix by mapping a set of client side attributes on one axis to a set of application functionality of varying criticality on the other axis makes perfect sense for almost any application available online as of today. The analysis of a user's location, the time of day and the time zone, the operating system or browser type and the respective version of the used device is vital information for identifying heightened access risk. Cleverer context data might be derived from the number of consecutive failed login attempts and the actual time required for the successful login process (several failed attempts and then very fast login: might be an automated brute force attack). These mechanisms are incredible improvements for online privacy and security when defined and implemented appropriately.
Maybe the most important argument for having adaptive authentication in almost every other application as well might come as a surprise: It is ease of use. Many applications do provide certain functionalities that require strong authentication in general and certain other functionalities that should be protected adequately in case of inappropriate context information suggesting this. The majority of functionalities, however, is usually of lower criticality and should, as a result, be available without customers / citizens / members / subscribers/… having to provide strong authentication data, requiring for example two-factor-authentication.
- Many users log into their favourite shopping portals just for “research purposes” on a regular basis without actually buying something in that very session (i.e. the digital equivalent for going window shopping). As long as no purchase is made no additional adaptive authentication should be required in most cases.
- The same can apply for accessing basic functionality (e.g. read-only access to general information of the local municipality) within an eGovernment site. As long as no PII or other sensitive data is retrieved or even modified, a simple authentication on basis of username and a reasonably strong password should be sufficient.
- Watching a cartoon suitable for children on your favourite video streaming service might be fine using the usually already configured basic authentication, but the attempt to change the parental control settings obviously has to trigger a request for providing additional authentication.
But we are of course not only talking about end users accessing more or less public online services in different scenarios. In corporate environments, employees, partners and external workforce are accessing enterprise resources located on-premises or deployed in diverse cloud or hybrid infrastructures. With the ever changing landscape of user devices they will want to have access to corporate applications and services from various types of devices ranging from corporate notebooks to all types of personal devices, including mobile phones or tablets. Every organisation will have the ability to define their own policies, whether individual types of access is permitted in general and which rules apply for which type and criticality of functionality. The decision whether access can be provided at all or whether e.g. a step-up authentication is required can be made based on large set of available information at runtime. This information can include e.g. the general user group(employee, external workforce, partners, freelance sales partners and even customers), of course detailed identity data of the individual user, the accessing device (e.g. type, operating system, browser, versions), type and security of current network access (e.g. mobile access via cellular network, originating country, secured by VPN or not), local time and time zone and many many more. With all this information available at runtime it is clear that decisions for accessing the same resource for the same user can be different for a secured national connection from a corporate end-user device versus a connection from an outdated Android device originating from an untrusted country and without line encryption.
The above given examples clearly show the advantages of adaptive authentication in a lot of different use case scenarios: Adaptive authentication allows to provide both: a) An improved user experience by not requesting additional authentication whenever it is not required. And b) an adequate level of protection for user security and privacy whenever context information and/or the criticality of the requested functionality demand for that. Both are perfect reasons for you as either the provider of online services or being responsible for secure and modern corporate infrastructure components to consider implementing adaptive authentication soon.