Adaptive MFA (Risk-Based Authentication)

Overview#

When a detective logs in from a coffee shop in a city they've never visited before, your platform should notice. Adaptive MFA analyses each authentication attempt against a real-time risk model, applying friction only where it is genuinely warranted. Routine logins from known devices and trusted networks proceed without interruption. Logins that deviate from established patterns trigger step-up verification before access is granted.

This approach suits organisations where authentication friction carries real operational cost: law enforcement agencies processing time-sensitive intelligence, healthcare providers responding to incidents, and financial institutions operating under pressure.

Mermaid diagram
flowchart TD
    A[Login Attempt] --> B[Signal Collection]
    B --> C{Risk Evaluation}
    C -->|Low Risk| D[Standard Authentication]
    C -->|Medium Risk| E[MFA Prompted]
    C -->|High Risk| F[Strong MFA Required]
    C -->|Critical Risk| G[Access Blocked / Alert Raised]
    E --> H[Session Established]
    F --> H
    D --> H
    H --> I[Continuous Session Monitoring]
    I -->|Anomaly Detected| E

Key Features#

• Dynamic Risk Scoring: Each login attempt is evaluated in real time across multiple behavioural and contextual signals, producing a composite risk score that determines the authentication path.

• Intelligent MFA Prompting: MFA is triggered only when the risk score exceeds configurable thresholds, cutting unnecessary friction for users accessing from expected contexts.

• Device Fingerprinting: Known devices are tracked and trusted. Logins from new or unrecognised devices are flagged for additional verification before a session is issued.

• Impossible Travel Detection: The system identifies physically impossible location changes between consecutive login attempts with high accuracy, such as sign-ins from two cities separated by thousands of kilometres within minutes of each other.

• Geolocation Anomaly Detection: Logins originating from new countries, anonymising networks (VPN, Tor, proxy), or regions outside organisational norms are escalated automatically.

• Behavioural Analytics: User patterns, including typical login times, primary locations, and devices, are learned over time. Deviations from those baselines are scored proportionally to their significance.

• Configurable Risk Policies: Administrators define risk thresholds, whitelist corporate networks or known devices, and choose which risk signals are active per organisation.

• Step-Up Authentication: Sensitive operations, such as modifying security settings or accessing classified data, can require additional verification regardless of the initial login risk score.

Use Cases#

• Law enforcement agencies protecting access to sensitive intelligence databases where account compromise could compromise active operations.
• Government departments meeting zero-trust mandates that require continuous access evaluation rather than perimeter-based trust.
• Intelligence organisations where logins outside normal hours or from unusual geographies must trigger immediate review.
• Financial institutions subject to strong authentication requirements under PSD2 and internal fraud prevention programmes.
• Healthcare providers needing to balance clinical workflow speed with HIPAA-mandated access control.
• Critical infrastructure operators defending operational technology environments where identity is the last line of defence.

How It Works#

1. Signal Collection: When a user attempts to log in, the system collects contextual data including device fingerprint, geolocation, network characteristics, and behavioural patterns from prior sessions.

2. Risk Evaluation: All signals are compared against the user's historical baseline and the organisation's active policies to produce a risk score.

3. Authentication Decision: Based on the risk score and configured thresholds:

   • Low Risk: User proceeds with standard authentication.
   • Medium Risk: Additional verification is requested, such as an authenticator app code or SMS.
   • High Risk: Strong MFA is required and the security team may be alerted.
   • Critical Risk: Access is blocked and the account flagged for investigation.

4. Continuous Monitoring: Risk assessment continues throughout the session. If anomalous behaviour is detected mid-session, step-up authentication can be triggered without terminating the session.

Configuration#

Administrators customise Adaptive MFA behaviour through the admin console:

• Risk Thresholds: Set the score boundaries that determine when MFA is required, when access is escalated, and when access is denied.
• Trusted Networks: Whitelist corporate networks or VPN ranges to reduce friction from known-safe locations.
• Trusted Devices: Allow users to register devices that receive reduced MFA prompting for subsequent logins.
• Policy Exceptions: Create exceptions for service accounts, break-glass scenarios, or specific user groups with documented justification.
• Alert Configuration: Define which risk events notify the security team and through which channels.

Integration#

• Identity Providers: Works with existing SSO and identity federation across SAML 2.0, OIDC, OAuth 2.0, Zitadel IAM, and Keycloak.
• SIEM Platforms: Risk events and authentication analytics are forwarded to your SIEM for centralised monitoring and correlation.
• Directory Services: Integrates with Active Directory, Azure AD, Google Workspace, and other directory providers for user context enrichment.

Availability#

• Enterprise Plan: Included
• Professional Plan: Available as add-on

Last Reviewed: 2026-02-23 Last Updated: 2026-04-14