As organizations embrace digital transformation, the need to protect data and control who accesses it increases. Distributed workforces and online users compound the challenge since they often need remote access to critical apps and data. Many organizations also have regulatory responsibilities to protect user data according to the data safety regulations required for different industries.

Enhancing your authentication systems is an important aspect of achieving this. There are two main types of authentication methods: multi-factor authentication and adaptive authentication (also called risk-based authentication). This post will provide an overview of these methods and why you should upgrade to adaptive authentication.

What is Multi-Factor Authentication?

Years ago, as users began to access online services and resources, the need for identity and access management (IAM) emerged. For a while, traditional IDs and passwords were sufficient to create a secure authentication process. As the digital world grew, however, the number of users also increased exponentially — as did cybersecurity risks. Attackers can now easily crack IDs and passwords via brute force attacks and social engineering tactics, leading to data breaches.

When Colonial Pipeline was attacked in late 2021, one of the vulnerabilities attackers exploited was one-factor authentication. The hacked password was a complex one, but, still, relying on a single authentication form makes for weak security.

Multi-factor authentication is a technology created to answer these access management security challenges.


Multi-factor authentication (MFA) is a security protocol that requires a user to verify their identity by providing two or more factors.


MFA creates an additional layer of defense, making it harder for an unauthorized user to access a system or network. When there are extra factors, even if one of them is compromised, the attacker still has to breach further lines of defense.

MFA is used to enhance access security across industries, and for an array of use cases. What can you use MFA for?

  • Enhancing active directory identity stores
  • Authenticating web services
  • Authenticating web servers
  • Device authentication
  • Registering users
  • Confirming e-commerce transactions
  • Validating money transfers

Types of Authentication Factors

MFA uses different types of authentication factors from several categories:

  • Knowledge: What the user knows. For instance, a password or the answer to a secret question.
  • Possession: A device the user has that they can use to log in, like a security token or a smartphone. The MFA solution sends a one-time code to the endpoint for authentication (a push notification).
  • Inherence: These factors are often used in biometric authentication and can include fingerprints, iris scans, and facial or voice recognition. Sometimes MFA uses factors based on user behavior, called behavioral biometrics.
  • Location: In this case, the user’s geolocation (IP address), detected via GPS, is the authentication factor.
  • Time: Often used together with location, the time factor can detect an unauthorized transaction or account access.
  • Behavioral: Behavioral patterns unique to that specific user can be used to identify them (e.g., keyboard strokes, typing speed, or swiping patterns).

By increasing the barriers attackers must face, multi-factor authentication improves the security of a system. However, there should be a balance between adding security layers and providing a frictionless user experience.

Benefits of Using Multi-Factor Authentication (MFA)

There are several benefits of using multi-factor authentication:

  • Increased security with third-party users: Organizations often have third-party users accessing their systems for business purposes. Keeping your network safe from thousands of external users can be tricky. Adding an extra authentication layer helps.
  • Enhanced control over who has access to your data and applications: MFA allows an organization to define who can and can’t access sensitive data. Fifty-one percent of respondents to the 2021 Ponemon security report indicated that they are not assessing the security of third parties.
  • Helps meet compliance requirements: HIPAA regulations require all access to personal information to be restricted to authorized staff only. MFA prevents unauthorized users from accessing sensitive information, such as personal medical records.
  • Minimize password risks: Passwords are always at risk of being cracked. Most people reuse passwords, making it much easier for bad actors to gain access to data or accounts. In addition to requiring strong passwords, the use of two factor authentication ensures passwords are not the only line of defense.
  • Greater remote security: Single sign-on (SSO) is simply not secure enough for hybrid work environments that allow employees to use unsecured networks and private devices. MFA offers a more secure alternative to SSO that makes it more difficult to access networks and apps for malicious actors — thus mitigating the increased risks that come with remote and hybrid work environments.

As many benefits as multi-factor authentication offers, it has several drawbacks — for example, disrupting the user experience. Risk-based adaptive authentication offers a smoother experience and enhanced security.

What is Adaptive  Authentication?

Adaptive authentication, also called risk-based authentication (RBA) or adaptive multi-factor authentication (adaptive MFA), is a mechanism that verifies user identity and authorization levels based on a combination of factors such as user role, location, device type, and behavior. Adaptive authentication uses these contextual factors to create a profile of how an individual user or user group must authenticate. These factors are continuously assessed throughout the session, delivering zero trust and improving security.

How Does Adaptive Authentication Work?

Unlike with MFA, adaptive authentication is more dynamic, and security requirements can change according to the user role, location, or the situation. Since every employee, vendor, or partner has different access needs, capabilities, and endpoints in a given login session, IT security policies must be adaptable.

Adaptive or risk-based authentication can be based on static or dynamic policies or a combination of both. Adaptive authentication using dynamic policies is based on the calculation of a risk score of users any time they access the system. Risk scores are assigned based on the user’s context — such as location, role, their registered devices, and more. This score is assessed in real time using machine learning. When a user wants to log in, they are given authentication options according to their score. With a higher risk level additional security challenges can be presented.

In a static policy, the user group/identity rules would determine the level of authentication required. For example, a contractor will have higher levels of authentication and a limited amount of access to the network (granted access on a per application basis). In this example, the contractor may have a very low user risk score but could still require a higher burden of authentication.

Adaptive authentication can be set up to require additional security measures like two-factor authentication when a user logs in from a less secure device, network, location, to name a few factors. For example, a hybrid employee would be treated differently when they’re at their personal computer compared to when they’re at work on their work laptop or using the corporate network. Adaptive authentication would also impact when they log in from an unknown device from an unknown location.

Adaptive Authentication Benefits

Adaptive authentication (or risk-based authentication) has many benefits and several advantages over multi-factor authentication. The best adaptive authentication vendors will provide the following features:

  • A better end-user experience. Adaptive authentication requests less information from users who are recognized and behave according to their established, normal pattern. It will only require more validation from users if there are factors which indicate a greater security risk. Adaptive authentication causes fewer interruptions for users who can continue working as usual without having to verify their identity.
  • Increased security. Adaptive authentication enhances the level of security by requesting additional authentication in cases of anomalous behavior, such as numerous login attempts from a new device. The risk score is constantly recalculated based on new information, taking into consideration the ongoing behavior of each user to detect any suspicious activity. A good example of this is a user downloading massive amounts of data (far above their average). Their subsequent logins will be more heavily challenged because their abnormal activity increased their user risk score.
  • Enhanced productivity. For users, having to provide multi-factor authentication over and over again is time-consuming and slows productivity. Adaptive authentication reduces these constant requests by adjusting the level of requirements according to the user’s profile and risk score. Therefore, in low-risk situations, the level of authentication required is lower.

Reasons to Upgrade from MFA to Adaptive Authentication

Legacy MFA is often high-risk. The traditional MFA system is far from perfect, and challenges increase as the number of users grows. Legacy MFA has several drawbacks. For instance, the user is redirected to a different service to be authenticated.

MFA mechanisms have security vulnerabilities baked in. For instance, SMS MFAs are prone to attackers who hijack messages. The static nature of legacy MFA tools can’t keep up with the dynamic pace of today’s workspaces, and it needs to be enhanced with other security measures.

Authentication needs to be dynamic. The static nature of MFA makes organizations vulnerable to attacks. For instance, if all users need to use the same mechanism, say SMS OTP, there is no difference between use cases and there may be unprotected gaps.

Different authentication mechanisms need to be adapted to each use case according to the user’s location, behavior, and the intended task’s level of risk. For example, a user viewing basic information should be asked for basic authentication, and a user wanting to view more sensitive data should be prompted for further authentication.

Sometimes authorization can be fully denied if certain criteria are not met. For example, a company’s IT admins could determine that all finance/accounting employees are denied access if they use a personal device, but all other employees do not have this restriction since they would not have access to the same sensitive information. Another example might be that  all employees are denied access if they are in a high risk country unless they use a corporate network.

Adaptive authentication reduces the gap between security and user experience. Adaptive authentication solutions are designed with the user experience in mind. With adaptive authentication, you can adjust the filters and criteria, so the system only intervenes if the risk score is high. This ensures security without disrupting the user experience.

How Citrix ZTNA Delivers Secure Remote Work

Organizations are becoming increasingly complex and distributed and maintaining access security can be a constant struggle to prevent cyberattacks. Citrix improves your organization’s security posture by providing complete zero trust network access (ZTNA) to all apps with adaptive authentication and adaptive security controls.