Citrix Blogs

Why should you evolve your multi-factor authentication to adaptive authentication?

As organizations embrace digital transformation, the need to protect data and control who accesses it increases. Distributed workforces and online users compound the challenge since they often need remote access to critical apps and data. Many organizations also have regulatory responsibilities to protect user data according to the data safety regulations required for different industries.

Enhancing your authentication systems is an important aspect of achieving this. There are two main types of authentication methods: multi-factor authentication and adaptive authentication (also called risk-based authentication). This post will provide an overview of these methods and why you should upgrade to adaptive authentication.

What is Multi-Factor Authentication?

Years ago, as users began to access online services and resources, the need for identity and access management (IAM) emerged. For a while, traditional IDs and passwords were sufficient to create a secure authentication process. As the digital world grew, however, the number of users also increased exponentially — as did cybersecurity risks. Attackers can now easily crack IDs and passwords via brute force attacks and social engineering tactics, leading to data breaches.

When Colonial Pipeline was attacked in late 2021, one of the vulnerabilities attackers exploited was one-factor authentication. The hacked password was a complex one, but, still, relying on a single authentication form makes for weak security.

Multi-factor authentication is a technology created to answer these access management security challenges.


Multi-factor authentication (MFA) is a security protocol that requires a user to verify their identity by providing two or more factors.


MFA creates an additional layer of defense, making it harder for an unauthorized user to access a system or network. When there are extra factors, even if one of them is compromised, the attacker still has to breach further lines of defense.

MFA is used to enhance access security across industries, and for an array of use cases. What can you use MFA for?

Types of Authentication Factors

MFA uses different types of authentication factors from several categories:

By increasing the barriers attackers must face, multi-factor authentication improves the security of a system. However, there should be a balance between adding security layers and providing a frictionless user experience.

Benefits of Using Multi-Factor Authentication (MFA)

There are several benefits of using multi-factor authentication:

As many benefits as multi-factor authentication offers, it has several drawbacks — for example, disrupting the user experience. Risk-based adaptive authentication offers a smoother experience and enhanced security.

What is Adaptive  Authentication?

Adaptive authentication, also called risk-based authentication (RBA) or adaptive multi-factor authentication (adaptive MFA), is a mechanism that verifies user identity and authorization levels based on a combination of factors such as user role, location, device type, and behavior. Adaptive authentication uses these contextual factors to create a profile of how an individual user or user group must authenticate. These factors are continuously assessed throughout the session, delivering zero trust and improving security.

How Does Adaptive Authentication Work?

Unlike with MFA, adaptive authentication is more dynamic, and security requirements can change according to the user role, location, or the situation. Since every employee, vendor, or partner has different access needs, capabilities, and endpoints in a given login session, IT security policies must be adaptable.

Adaptive or risk-based authentication can be based on static or dynamic policies or a combination of both. Adaptive authentication using dynamic policies is based on the calculation of a risk score of users any time they access the system. Risk scores are assigned based on the user’s context — such as location, role, their registered devices, and more. This score is assessed in real time using machine learning. When a user wants to log in, they are given authentication options according to their score. With a higher risk level additional security challenges can be presented.

In a static policy, the user group/identity rules would determine the level of authentication required. For example, a contractor will have higher levels of authentication and a limited amount of access to the network (granted access on a per application basis). In this example, the contractor may have a very low user risk score but could still require a higher burden of authentication.

Adaptive authentication can be set up to require additional security measures like two-factor authentication when a user logs in from a less secure device, network, location, to name a few factors. For example, a hybrid employee would be treated differently when they’re at their personal computer compared to when they’re at work on their work laptop or using the corporate network. Adaptive authentication would also impact when they log in from an unknown device from an unknown location.

Adaptive Authentication Benefits

Adaptive authentication (or risk-based authentication) has many benefits and several advantages over multi-factor authentication. The best adaptive authentication vendors will provide the following features:

Reasons to Upgrade from MFA to Adaptive Authentication

Legacy MFA is often high-risk. The traditional MFA system is far from perfect, and challenges increase as the number of users grows. Legacy MFA has several drawbacks. For instance, the user is redirected to a different service to be authenticated.

MFA mechanisms have security vulnerabilities baked in. For instance, SMS MFAs are prone to attackers who hijack messages. The static nature of legacy MFA tools can’t keep up with the dynamic pace of today’s workspaces, and it needs to be enhanced with other security measures.

Authentication needs to be dynamic. The static nature of MFA makes organizations vulnerable to attacks. For instance, if all users need to use the same mechanism, say SMS OTP, there is no difference between use cases and there may be unprotected gaps.

Different authentication mechanisms need to be adapted to each use case according to the user’s location, behavior, and the intended task’s level of risk. For example, a user viewing basic information should be asked for basic authentication, and a user wanting to view more sensitive data should be prompted for further authentication.

Sometimes authorization can be fully denied if certain criteria are not met. For example, a company’s IT admins could determine that all finance/accounting employees are denied access if they use a personal device, but all other employees do not have this restriction since they would not have access to the same sensitive information. Another example might be that  all employees are denied access if they are in a high risk country unless they use a corporate network.

Adaptive authentication reduces the gap between security and user experience. Adaptive authentication solutions are designed with the user experience in mind. With adaptive authentication, you can adjust the filters and criteria, so the system only intervenes if the risk score is high. This ensures security without disrupting the user experience.

How Citrix ZTNA Delivers Secure Remote Work

Organizations are becoming increasingly complex and distributed and maintaining access security can be a constant struggle to prevent cyberattacks. Citrix improves your organization’s security posture by providing complete zero trust network access (ZTNA) to all apps with adaptive authentication and adaptive security controls.

Exit mobile version