{"id":"admin-adaptive-mfa-risk-based-authentication","slug":"admin-adaptive-mfa-risk-based-authentication","title":"Adaptive MFA (Risk-Based Authentication)","description":"When a detective logs in from a coffee shop in a city they've never visited before, your platform should notice. Adaptive MFA analyses each authentication attempt against a real-time risk model, applying friction only wh","category":"management","tags":["management","real-time"],"lastModified":"2026-02-23","source_ref":"content/modules/admin-adaptive-mfa-risk-based-authentication.md","url":"/developers/admin-adaptive-mfa-risk-based-authentication","htmlPath":"/developers/admin-adaptive-mfa-risk-based-authentication","jsonPath":"/api/docs/modules/admin-adaptive-mfa-risk-based-authentication","markdownPath":"/api/docs/modules/admin-adaptive-mfa-risk-based-authentication?format=markdown","checksum":"c7ea25acfcdbb4a0dc5c95cfcce31c492234183f2c0eb7a672ee707c55423b93","headings":[{"id":"overview","text":"Overview","level":2},{"id":"key-features","text":"Key Features","level":2},{"id":"use-cases","text":"Use Cases","level":2},{"id":"how-it-works","text":"How It Works","level":2},{"id":"configuration","text":"Configuration","level":2},{"id":"integration","text":"Integration","level":2},{"id":"availability","text":"Availability","level":2}],"markdown":"# Adaptive MFA (Risk-Based Authentication)\n\n## Overview\n\nWhen a detective logs in from a coffee shop in a city they've never visited before, your platform should notice. Adaptive MFA analyses each authentication attempt against a real-time risk model, applying friction only where it is genuinely warranted. Routine logins from known devices and trusted networks proceed without interruption. Logins that deviate from established patterns trigger step-up verification before access is granted.\n\nThis approach suits organisations where authentication friction carries real operational cost: law enforcement agencies processing time-sensitive intelligence, healthcare providers responding to incidents, and financial institutions operating under pressure.\n\n```mermaid\nflowchart TD\n    A[Login Attempt] --> B[Signal Collection]\n    B --> C{Risk Evaluation}\n    C -->|Low Risk| D[Standard Authentication]\n    C -->|Medium Risk| E[MFA Prompted]\n    C -->|High Risk| F[Strong MFA Required]\n    C -->|Critical Risk| G[Access Blocked / Alert Raised]\n    E --> H[Session Established]\n    F --> H\n    D --> H\n    H --> I[Continuous Session Monitoring]\n    I -->|Anomaly Detected| E\n```\n\n## Key Features\n\n- **Dynamic Risk Scoring**: Each login attempt is evaluated in real time across multiple behavioural and contextual signals, producing a composite risk score that determines the authentication path.\n\n- **Intelligent MFA Prompting**: MFA is triggered only when the risk score exceeds configurable thresholds, cutting unnecessary friction for users accessing from expected contexts.\n\n- **Device Fingerprinting**: Known devices are tracked and trusted. Logins from new or unrecognised devices are flagged for additional verification before a session is issued.\n\n- **Impossible Travel Detection**: The system identifies physically impossible location changes between consecutive login attempts with high accuracy, such as sign-ins from two cities separated by thousands of kilometres within minutes of each other.\n\n- **Geolocation Anomaly Detection**: Logins originating from new countries, anonymising networks (VPN, Tor, proxy), or regions outside organisational norms are escalated automatically.\n\n- **Behavioural Analytics**: User patterns, including typical login times, primary locations, and devices, are learned over time. Deviations from those baselines are scored proportionally to their significance.\n\n- **Configurable Risk Policies**: Administrators define risk thresholds, whitelist corporate networks or known devices, and choose which risk signals are active per organisation.\n\n- **Step-Up Authentication**: Sensitive operations, such as modifying security settings or accessing classified data, can require additional verification regardless of the initial login risk score.\n\n## Use Cases\n\n- **Law enforcement agencies** protecting access to sensitive intelligence databases where account compromise could compromise active operations.\n- **Government departments** meeting zero-trust mandates that require continuous access evaluation rather than perimeter-based trust.\n- **Intelligence organisations** where logins outside normal hours or from unusual geographies must trigger immediate review.\n- **Financial institutions** subject to strong authentication requirements under PSD2 and internal fraud prevention programmes.\n- **Healthcare providers** needing to balance clinical workflow speed with HIPAA-mandated access control.\n- **Critical infrastructure operators** defending operational technology environments where identity is the last line of defence.\n\n## How It Works\n\n1. **Signal Collection**: When a user attempts to log in, the system collects contextual data including device fingerprint, geolocation, network characteristics, and behavioural patterns from prior sessions.\n\n2. **Risk Evaluation**: All signals are compared against the user's historical baseline and the organisation's active policies to produce a risk score.\n\n3. **Authentication Decision**: Based on the risk score and configured thresholds:\n   - **Low Risk**: User proceeds with standard authentication.\n   - **Medium Risk**: Additional verification is requested, such as an authenticator app code or SMS.\n   - **High Risk**: Strong MFA is required and the security team may be alerted.\n   - **Critical Risk**: Access is blocked and the account flagged for investigation.\n\n4. **Continuous Monitoring**: Risk assessment continues throughout the session. If anomalous behaviour is detected mid-session, step-up authentication can be triggered without terminating the session.\n\n## Configuration\n\nAdministrators customise Adaptive MFA behaviour through the admin console:\n\n- **Risk Thresholds**: Set the score boundaries that determine when MFA is required, when access is escalated, and when access is denied.\n- **Trusted Networks**: Whitelist corporate networks or VPN ranges to reduce friction from known-safe locations.\n- **Trusted Devices**: Allow users to register devices that receive reduced MFA prompting for subsequent logins.\n- **Policy Exceptions**: Create exceptions for service accounts, break-glass scenarios, or specific user groups with documented justification.\n- **Alert Configuration**: Define which risk events notify the security team and through which channels.\n\n## Integration\n\n- **Identity Providers**: Works with existing SSO and identity federation across SAML 2.0, OIDC, OAuth 2.0, Zitadel IAM, and Keycloak.\n- **SIEM Platforms**: Risk events and authentication analytics are forwarded to your SIEM for centralised monitoring and correlation.\n- **Directory Services**: Integrates with Active Directory, Azure AD, Google Workspace, and other directory providers for user context enrichment.\n\n## Availability\n\n- Enterprise Plan: Included\n- Professional Plan: Available as add-on\n\n**Last Reviewed:** 2026-02-23\n**Last Updated:** 2026-04-14\n"}