Adaptive Authentication

Adaptive authentication, also called risk-based authentication, varies the login requirement according to context. A sign-in from a known device, location, and pattern can pass with a single factor, while one that looks unusual triggers a step-up such as a second factor or a passkey check.

The risk signals can include device reputation, network and location, time of day, behavioral patterns, and indicators of automated attacks. A risk engine scores each attempt and decides whether to allow, challenge, or block it.

The goal is to keep friction low for the vast majority of legitimate sign-ins while concentrating extra checks where the risk actually is. For CIAM this is central, because every added step costs some customers, so applying strong authentication selectively protects accounts without punishing everyone. It pairs naturally with phishing-resistant factors like passkeys for the step-up.

Sources

• NIST SP 800-63B, Authentication and Lifecycle Management: https://pages.nist.gov/800-63-3/sp800-63b.html