CIAM.wiki

Adaptive and risk-based authentication

Forcing every customer through the same login wastes friction on the safe majority and still lets a determined attacker through. Adaptive authentication evaluates the risk of each attempt and only raises the bar when the signals say it should. The principle behind it is continuous, contextual trust: assess on every interaction rather than trusting a single login forever.

The signals

A risk engine weighs both confirming and contradicting evidence:

  • Affirmative signals: a recognized device, a usual location, a normal time of day.
  • Negative signals: a new device, impossible travel, an anonymizing network, a password known to be breached, behavior that does not match the account’s history.
  • Context: the sensitivity of the action being attempted and the value at stake.

The output is a risk score that decides whether to allow, challenge with MFA, or block.

Adaptive vs step-up

The two work together but are not the same. Adaptive policy decides whether to challenge at login based on risk. Step-up applies a check at the moment of a sensitive action (changing a payout account, a large transfer) regardless of how the session started. Everyday access stays smooth; the operations that matter get protected. Confirm a platform supports both, and per action rather than only per session.

Where platforms differ most

This is one of the widest capability gaps between CIAM platforms. The questions that separate them: which signals are built in, whether you can add your own, whether the model learns from behavior, and how much you can tune the policy without writing code. Some vendors carry strong risk engines from a workforce or fraud heritage; others treat it as a higher-tier add-on. For higher-risk segments this often pairs with account takeover and fraud defenses.

What to ask a CIAM vendor

  • Which risk signals are built in, and can we add custom ones?
  • Does the engine use behavioral analytics that learn over time, or only static rules?
  • Can we tune the risk policy and thresholds ourselves, without professional services?
  • Is adaptive authentication included, or only in a higher tier? See the pricing guide.
  • Is step-up supported per sensitive action, not just per session?

The buyer takeaway: adaptive authentication is how you keep login frictionless without lowering security, and the strength of the risk engine is a real differentiator rather than a checkbox. Pressure-test it on the signals you care about, then run the vendor matcher.