What is adaptive authentication?

Adaptive authentication is a method for verifying user identity and authorization levels based on factors such as location, device status, and end user behavior. Using these contextual factors, adaptive authentication intelligently chooses how a user must authenticate. Because the factors are continually assessed throughout the user session, rather than just once, this authentication method delivers zero trust and improves security.

Explore additional adaptive authentication topics:  

Why is adaptive authentication important?

Today's companies are more flexible than ever in the way they handle and support employee technology use. Full-time remote or hybrid employment models allow team members to log in and work from a wide variety of locations, and bring-your-own-device (BYOD) policies enable the use of numerous kinds of endpoints.

These increases in adaptability are empowering to companies, in many cases allowing them to get more productivity from their teams. However, unless they come with security improvements, businesses may fall victim to IT threats specifically designed to target weak points in devices and networks.

This is where adaptive authentication comes in: Rather than using a rigid set of policies that are enforced on every device and user indiscriminately, this methodology involves authentication and authorization levels based on factors such as user role, location, device status, and end user behavior.

One-size-fits-all IT security no longer applies to today's digital ecosystems. Any inflexible policy will naturally be too restrictive or too lenient when applied to the way today's employees work. Adaptive authentication is the answer to this conundrum, ensuring there's a balance between locked-down security and user convenience.

How does adaptive authentication work?

Adaptive authentication is a risk-based authentication approach. This means the primary system involved, the risk engine, will continually determine what type of authentication mechanism is to be used—biometrics, SMS codes, one-time passwords, and so on—and what level of authorization a user should have to applications based on location, device posture, and user risk profile. This determination is not only made at the time of login, but is continually evaluated throughout the end user session.

The main question the authentication engine will continually test for is this: Is a legitimate user accessing the app, system, or network resource for productive (not malicious) reasons? Rather than making this determination once when a user logs in at the beginning of a session, there are real-time reassessments. 

The risk engine uses several factors as fuel for analytics, determining whether a specific user session poses an elevated risk. It then selects the authentication type and what level of access to grant based on preferences set by administrators. In all low-risk activity, any changes to permissions are invisible to the individual user, ensuring there are no interruptions to the experience.

There are a few degrees of action that can be implemented depending on what the risk engine discovers in real-time. For example, if there is perceived risk based on a user's behavior, device type or another factor, the system can start monitoring activity. In the case of a higher degree of risk, the user can be forced to confirm their identity through a multi-factor authentication (MFA) mechanism. Of course, if the risk score is high, the system can simply block access altogether.

Administrators can configure granular policies as part of the adaptive authentication process. For example, when users log in from devices not managed by the company, they may not be able to access network drive mapping or copy/paste functions. Other options, when faced with a high-risk profile, include the ability to turn off features of user devices such as USB drives or screenshot functionality, to make sure those devices aren't used to introduce threats to the network.

Why should organizations use adaptive authentication?

Implementing adaptive authentication policies is part of a zero trust security approach. This means users and their devices don't automatically gain access to network resources or corporate data simply because they have logged in with correct credentials (such as a username and password). Rather, their security posture is always assessed and verified.

Considering the world of security threats facing today's companies, zero trust strategies have an important role to play for businesses of all kinds. The possibilities for breaches are near-endless; a user's credentials may be compromised through a spear-phishing attack, a mobile device could be compromised, lost, or stolen, or a home or business Wi-Fi network may be compromised, all creating a need for a blanket security strategy to guard against any kind of compromise.

An organization looking to securely support its growing hybrid workforce can combine adaptive authentication with single sign-on (SSO) methods. This means users will be able to log into all corporate applications with a single set of authentication credentials.

How can organizations use adaptive authentication?

What systems, tools, apps, and solutions can companies grant access to using access control methods powered by intelligent adaptive authentication? The answer is, anything and everything. With the right authentication controls, administrators can not only set policies for accessing certain apps but also determine which operations are available to users, such as restricting copy/paste, printing and downloads, or adding a watermark to a web application based on up-to-date authentication factors as well.

When using virtual applications or virtual desktops, businesses can deliver a full-featured experience to remote and hybrid workforces. This may include every mission-critical system the business operates that is accessible by employees, as if they were sitting at desks in the company’s headquarters.

These full-featured remote experiences, which would have previously only been possible through methods such as VPN, are now more flexible and user-friendly than ever, with features such as adaptive authentication powering this evolution. By simultaneously allowing administrators to keep a careful watch on each session’s risk level and providing a friction-free experience for users, modern access methods allow businesses to be more agile.

Of course, replicating a desktop experience is only one type of remote access. An increasing number of companies are relying more heavily than ever before on cloud-hosted software-as-a-service (SaaS) applications. These, too, can become part of a zero trust architecture based around adaptive authentication.

On paper, the cloud is the perfect match for remote and hybrid work—applications are accessed remotely at all times, so it’s natural to use them from anywhere. However, in practice, employees still need a secure way to log in to mission-critical applications. Adaptive authentication can play a role in defending these essential software tools against unauthorized use.

Today’s security solutions are delivered as cloud services, meaning that instead of running in companies’ datacenters, they exist as web resources that can integrate with all business systems and applications, regardless of whether those are SaaS apps or on-premises software accessed through a virtual desktop model.

Citrix solutions for adaptive authentication

Deciding to adopt a zero trust network access approach powered by an adaptive authentication solution is the first step in modernizing a company's approach to remote work and security. The next step is to ensure the business has the best possible partner for this journey.

This is where Citrix Secure Private Access stands out from all competing solutions, delivering an advanced access and security experience with features including:

  • Zero trust network access (ZTNA) to all private applications including web, SaaS, TCP, UDP, or VDI and virtual applications—whether they’re deployed on-premises or on any public cloud, and accessed from within or outside of a digital workspace
  • Adaptive authentication focused on user identity, geolocation, device posture, and risk profiles, both before and after logging into any system or application
  • Support for contextual security and authorization policies, allowing administrators to set escalating security features based on real-time risk factors
  • Integrated remote browser isolation technology that lets users securely access corporate applications from unmanaged devices or without a ZTNA plugin
  • Controls that prevent hijacking of user credentials or taking screenshots of applications by keyloggers and screen capturing malware
  • An unbroken user experience in which all but the highest-priority security controls are invisible, simply taking effect and not interrupting workflows 
  • Budget savings coming from employees' ability to keep using their own devices rather than specialized, company-owned endpoints 

Many organizations no longer have a choice regarding whether to move to a hybrid work model. This is simply the way business will be conducted in the years ahead, and it's now up to IT to ensure the remote access experience is as secure and convenient as possible.

See adaptive authentication in action with the Citrix Secure Private Access tour.