Multi-factor authentication (MFA) stops 99% of password based cyberattacks, making it a security measure worth investing in. One of the more advanced and helpful implementations of MFA is adaptive MFA. This blog post will explain what adaptive MFA is, when it is used and how adaptive MDA security policies are determined. We’ll wrap up with how to implement adaptive MFA with zero trust.
But first, let’s understand what MFA is.
What is MFA?
MFA is a digital authentication method based on more than one factor. Often, users are provided access after providing only one factor, like a password. But when implementing MFA, users are granted access only after they are verified through two factors or more. As a result, MFA security solutions reduce the risk of data breaches and they have become an essential part of the zero trust security model.
There are four types of authentication factors:
What a user knows - e.g passwords and answers to security questions.
What a user has - e.g tokens, certificates, USB devices, and more.
What the user is - e.g biometric data and behavior analysis.
Where the user is - location data
Two or more of these factors are validated every time a user attempts to access a network asset, like a system. Some of these factors are validated silently, without the notifying the user.
What is Adaptive MFA?
Adaptive MFA is MFA that is adapted to the situation the user is in. In other words, it is MFA used in a contextual manner. This context will determine the types of factors required for authentication, the number of factors asked and the frequency in which they are asked for.
For example, a remote employee working from an unmanaged device will require more types of authentication factors than an employee working on-premises from a managed device. Or, suspicious behavior like a login from a new geolocation will require more authentication factors and being verified more frequently than a user accessing from the office.
Why is Adaptive MFA Used?
Adaptive MFA is often used to make MFA more user-friendly. MFA can create business friction if the user is required to go through multiple authentication steps each time they need to access an app. Adaptive MFA lets the business decide in which situations more stringent verifications are required, and in which one or two authentication factors are enough. Thus, security isn’t impaired in risky situations, but users aren’t required to go through any unnecessary steps that might hamper the user experience and business agility.
How are Adaptive MFA Policies Determined?
As mentioned, the context of the user’s situation and behavior will determine which MFA policy he will be subscribed to. There are multiple ways these policies can be crafted. These ways are not mutually exclusive, and can be implemented together in different manners:
Static Policies:
Some MFA policies are static, meaning they are set as rules in the MFA management system.
1. User Profile
The user’s role will determine the risk level and which factors should be used to authenticate her or him. For example, the role of an administrator will require more authentication factors.
2. Device Profile
The security level of the device, its operating system and if it’s a managed or an unmanaged device will determine the factors required for access. For example, Cyolo checks that devices have the most updated antivirus and that the hard disk is encrypted, before enabling app access.
3. Asset Profile
The value the business attributes to the network asset will determine the MFA policies required to access it. For example, access to the production environment will require more authentication factors.
4. Space and Time
Different access locations and times will result in different policies. For example, logging in at 3am from Antarctica will alert about a risky situation and require more authentication factors (or will block the user altogether).
Dynamic Policy:
The dynamic MFA policy is based on machine learning (ML) and artificial intelligence (AI) and evolves as more data is collected. The dynamic adaptive MFA policy calculates a risk score and alerts, blocks or authenticates when it reaches a certain threshold.
5. User Behavior
Anomalies in the user behavior will alert the system about the need for more authentication factors. ML and AI learn each user’s behavior and constantly compare it to previous behaviors, to detect deviations.
Adding Adaptive MFA to Zero Trust
Zero trust is a security model that is based on the premise of trusting no one. To implement zero trust, each user and device are authenticated before providing access to apps and assets. MFA is an important authentication technology for the zero trust security model. Biometric authentication, token authentication and additional MFA factors are validated before enabling user access to services, regardless of their location or network origin.
It is recommended to choose a ZTNA provider that provides adaptive MFA. To incorporate adaptive MFA in your zero trust solution, add MFA to your devices and network, and incorporate policies based on adaptive MFA authentication.
Adaptive MFA solutions by Cyolo will calculate the user’s risk level. Based on the risk score and behaviour anomalies, the user will be authenticated through additional factors.
Cyolo is the leading zero trust security provider for organizations that want to protect their intellectual property. By securely connecting all users from anywhere without requiring a VPN, and authenticating devices, Cyolo enables employees to focus on their work and your business to grow. Cyolo provides advanced user management features, real-time recording abilities and an easy to use UI. Cyolo can also integrate with your VPNs, if needed.
Cyolo takes minutes to implement and is compatible with any network topology and identity infrastructure. In addition, Cyolo does not have access to the organizational data. Not only does this ensure true privacy and security, it also improves performance as a better user experience. Request a demo to learn more.
