This document discusses how adaptive authentication can improve security over traditional passwords and multi-factor authentication. It notes that passwords are often reused or weak, leading to many breaches. While multi-factor authentication adds security, it has low adoption rates due to usability issues. The document proposes that authentication should be dynamic, responsive to context like location, device and application risk level. It outlines how the WSO2 Identity Server supports adaptive authentication through scripting policies, connectivity to machine learning models, and a wide range of authentication connectors. Adaptive authentication can select steps dynamically based on the request, user attributes and behaviors, or a risk score to improve security and usability.

1. Director, WSO2
Kicking Your Enterprise Security Up a
Notch with Adaptive Authentication
Sagara Gunathunga

2. Strong Authentication

3. ‘Passwords’
are not secure!
● Over 70% of employees reuse
passwords at work.
● 59% reuse their passwords
everywhere.
● 81% of hacking-related breaches
leveraged either stolen and/or
weak passwords.
● The above rate has gone from
50% to 66% to 81% during the past
three years (2017).
Source - 2017 Verizon Data Breach Investigations Report (DBIR)

4. Support CIAM
SSO
Web App 1
Web App 2
Web App 3

5. Support CIAM
Service Provider
Identity Provider

6. API Security
ID Token Access Token Refresh Token

7. Regulatory and Industry Standards

8. App with Number of LoAs

9. How do you support
‘Strong Authentication’
?

10. Your account data
2-Step Verification
Your password
Implement Multi-
Factor Authentication

11. Break authentication into
multiple steps and verify
different authentication
factors at each step.
Multi-factor Authentication

12. 1. Knowledge
■ Something you know
■ Password, passphrase, pin, secret fact
1. Possession
■ Something you have
■ Phone, token, badge, smart card
1. Inherence
■ Something you are
■ Fingerprint, facial feature, voice
Authentication Factors

13. Multi-factor Authentication
Step 1
Step 2

14. Reality

15. Multi-factor
Authentication in
reality
90% Google users
have no 2FA

16. What is the Problem?

17. Usability
Security
Convenience
Usability

18. Solution?

19. Authentication needs to be more dynamic,
responsive and context sensitive
=
Adaptive Authentication

20. Notification
IdP offers 2nd factor
authentication based on H/W
device
Use Case: Geo Velocity
1st login from Europe
2nd login from NA
After
20 Hours
Success Fail
Notification
Block
Alex
Alex
1st
Login
2nd
Login
After 20 Hours

21. Use Case: An Application Request LoA3
Healthcare App A healthcare app request
LoA3 for authentication
IdP asks for additional
authentication based on
LoA3 configuration

22. Use Case: Authentication From New Devices
New Device
Shopping Cart App A user trying to login from
an unknown new device
IdP asks for additional
authentication steps

23. WSO2 Identity Server Offering - Overview
Scripting to define
conditional & adaptive
authentication policies
● Support JS for the scripting
● Ability to integrate with CEP and ML engines
● Out-of-the-box integration for WSO2 Stream
Processor 4.0
Wide range of
authentication connectors
● Support for hardware, mobile, biometric &
social authentication providers
● Range of production-ready connectors via
WSO2 Store
● Connector extension framework

24. WSO2 Identity Server Offering - Overview
Static Authentication Flow
● IdP offers static authentication flow to the user
● Multi-factor & Multi-option authentication
● In Multi-option authentication user can pick one
option from each step
Request-based Conditional Authentication Flow
● IdP offers dynamic authentication flow to the user
● Based on attributes of request message
authentication steps will change
● HTTP message, SAML ACR, OIDC ACR

25. WSO2 Identity Server Offering - Overview
User-based Conditional Authentication Flow
● IdP offers static authentication flow to the user
● Based on attributes of identified user
authentication steps will change
Adaptive/Risk-based Authentication Flow
● IdP offers dynamic authentication flow to the user
● Authentication steps can be based on user
behaviors, environments, history and risk score

26. Conclusions
● Everyone knows passwords are no longer
secure.
● Multi-factor authentication offers a perfect
solution but less adopted due to usability
issues.
● Multi-factor authentication needs to be
more dynamic, responsive and context
sensitive, and we called it ‘Adaptive
Authentication’
● WSO2 Identity Server can support any
adaptive or risk-based authentication use
case.

27. THANK YOU
wso2.com