# Adaptive MFA (Risk-Based Authentication)

## Overview

When a detective logs in from a coffee shop in a city they've never visited before, your platform should notice. Adaptive MFA analyses each authentication attempt against a real-time risk model, applying friction only where it is genuinely warranted. Routine logins from known devices and trusted networks proceed without interruption. Logins that deviate from established patterns trigger step-up verification before access is granted.

This approach suits organisations where authentication friction carries real operational cost: law enforcement agencies processing time-sensitive intelligence, healthcare providers responding to incidents, and financial institutions operating under pressure.

```mermaid
flowchart TD
    A[Login Attempt] --> B[Signal Collection]
    B --> C{Risk Evaluation}
    C -->|Low Risk| D[Standard Authentication]
    C -->|Medium Risk| E[MFA Prompted]
    C -->|High Risk| F[Strong MFA Required]
    C -->|Critical Risk| G[Access Blocked / Alert Raised]
    E --> H[Session Established]
    F --> H
    D --> H
    H --> I[Continuous Session Monitoring]
    I -->|Anomaly Detected| E
```

## Key Features

- **Dynamic Risk Scoring**: Each login attempt is evaluated in real time across multiple behavioural and contextual signals, producing a composite risk score that determines the authentication path.

- **Intelligent MFA Prompting**: MFA is triggered only when the risk score exceeds configurable thresholds, cutting unnecessary friction for users accessing from expected contexts.

- **Device Fingerprinting**: Known devices are tracked and trusted. Logins from new or unrecognised devices are flagged for additional verification before a session is issued.

- **Impossible Travel Detection**: The system identifies physically impossible location changes between consecutive login attempts with high accuracy, such as sign-ins from two cities separated by thousands of kilometres within minutes of each other.

- **Geolocation Anomaly Detection**: Logins originating from new countries, anonymising networks (VPN, Tor, proxy), or regions outside organisational norms are escalated automatically.

- **Behavioural Analytics**: User patterns, including typical login times, primary locations, and devices, are learned over time. Deviations from those baselines are scored proportionally to their significance.

- **Configurable Risk Policies**: Administrators define risk thresholds, whitelist corporate networks or known devices, and choose which risk signals are active per organisation.

- **Step-Up Authentication**: Sensitive operations, such as modifying security settings or accessing classified data, can require additional verification regardless of the initial login risk score.

## Use Cases

- **Law enforcement agencies** protecting access to sensitive intelligence databases where account compromise could compromise active operations.
- **Government departments** meeting zero-trust mandates that require continuous access evaluation rather than perimeter-based trust.
- **Intelligence organisations** where logins outside normal hours or from unusual geographies must trigger immediate review.
- **Financial institutions** subject to strong authentication requirements under PSD2 and internal fraud prevention programmes.
- **Healthcare providers** needing to balance clinical workflow speed with HIPAA-mandated access control.
- **Critical infrastructure operators** defending operational technology environments where identity is the last line of defence.

## How It Works

1. **Signal Collection**: When a user attempts to log in, the system collects contextual data including device fingerprint, geolocation, network characteristics, and behavioural patterns from prior sessions.

2. **Risk Evaluation**: All signals are compared against the user's historical baseline and the organisation's active policies to produce a risk score.

3. **Authentication Decision**: Based on the risk score and configured thresholds:
   - **Low Risk**: User proceeds with standard authentication.
   - **Medium Risk**: Additional verification is requested, such as an authenticator app code or SMS.
   - **High Risk**: Strong MFA is required and the security team may be alerted.
   - **Critical Risk**: Access is blocked and the account flagged for investigation.

4. **Continuous Monitoring**: Risk assessment continues throughout the session. If anomalous behaviour is detected mid-session, step-up authentication can be triggered without terminating the session.

## Configuration

Administrators customise Adaptive MFA behaviour through the admin console:

- **Risk Thresholds**: Set the score boundaries that determine when MFA is required, when access is escalated, and when access is denied.
- **Trusted Networks**: Whitelist corporate networks or VPN ranges to reduce friction from known-safe locations.
- **Trusted Devices**: Allow users to register devices that receive reduced MFA prompting for subsequent logins.
- **Policy Exceptions**: Create exceptions for service accounts, break-glass scenarios, or specific user groups with documented justification.
- **Alert Configuration**: Define which risk events notify the security team and through which channels.

## Integration

- **Identity Providers**: Works with existing SSO and identity federation across SAML 2.0, OIDC, OAuth 2.0, Zitadel IAM, and Keycloak.
- **SIEM Platforms**: Risk events and authentication analytics are forwarded to your SIEM for centralised monitoring and correlation.
- **Directory Services**: Integrates with Active Directory, Azure AD, Google Workspace, and other directory providers for user context enrichment.

## Availability

- Enterprise Plan: Included
- Professional Plan: Available as add-on

**Last Reviewed:** 2026-02-23
**Last Updated:** 2026-04-14