Understanding Adaptive Authentication and How It Works

Okta's cloud-based authentication gives users high-assurance with simple-to-use factors like biometrics and push notifications.

Use adaptive authentication, and you'll ask for different credentials depending on the risks posed by each visit. 

In traditional authentication systems, you ask all of your users to do one or two things each time they visit, such as typing in a password or submitting a fingerprint. Adaptive access lets you add or remove complexities depending on who your user is, where that user is, or what the user is trying to do. 

Adaptive access control comes through sophisticated computer programs, and you must pay for them. But your payments are worthwhile.

In 2020, a data breach cost companies an average of $3.86 million. The money you invest in security could keep you from paying for damage control. 

What is adaptive authentication?

If you use adaptive access control, your visitors will encounter a computer program before they can log in. That program assesses the risks in each visit (based on criteria you define) and adjusts authentication requirements accordingly. 

When we think about systems like this, we immediately contemplate programs that make access harder. For example, we imagine programs that require a retina scan before users can do something important like transfer funds. 

But adaptive access control can also make simple tasks easier to complete. If you’re simply trying to look at your personal calendar, for example, you could skip several security hoops. Given that a third of us admit to so-called “password rage,” simplifications like this could be welcome.

Balancing security and usability is also key to keeping your employees happy with their workplace technology.

How adaptive access works 

Adaptive programs work like access gatekeepers. Users must interact with them before they can tap into your servers. 

Every program is different. But here's a quick rundown of how most work:

  1. Highlight dangers. Outline the risks by user role, location, time of day, and resource requested. Give each user a profile, so the program can learn how these people typically interact with your system. 
  2. Determine baseline rules. Define the lowest authentication method you'll accept and stratify risks accordingly. Tell the program how you'd like to handle each scenario. 
  3. Turn on the program. Each time a user tries to log in, the program evaluates the request and assesses risk. Authentication processes adapt accordingly. 

3 examples of adaptive access control 

Let’s imagine an accountant named Mike. He's based in Sacramento, and he's worked for your company for 10 years. Let's walk through what his experience of adaptive authentication might look like. 

Scenario 1 

Mike's profile attempts to log in to the accounting server at 8 a.m., Sacramento time. This profile has made the same request for 30 days.

System response: A password is sufficient. 

Scenario 2 

Mike's profile attempts to log in to the accounting server at 2 a.m., Sacramento time. The IP address is familiar and has been used before. But this profile has never logged in at night. 

System response: A password and a code sent to Mike's authenticated phone are required. 

Scenario 3 

Mike's profile attempts to log in to the marketing server from an unfamiliar IP address at 2 a.m., Sacramento time. 

System response: A password, a secondary code, and biometric authentication with a fingerprint are all required.

Should you try adaptive access? 

Few companies can afford a catastrophic data breach. Even if you can pay the fees and recover lost money, your reputation as a safe and secure provider may be gone forever. 

We can help. Okta offers an adaptive authentication product we think you'll love. Find out how it works.


What Is the Cost of a Data Breach? (August 2020). CSO. 

Do You Have 'Password Rage?' A Third of People Admit to Tantrums Over Password Frustration. (June 2015). InformationAge.