Adaptive MFA
Learn how to use rules to create adaptive, risk-based authentication that challenges users only when necessary.
Adaptive MFA uses rules to intelligently determine when to challenge users based on risk factors and context. Instead of challenging every user every time, you can create policies that balance security with user experience.
How adaptive MFA works
Rules evaluate contextual information about each action to determine the appropriate response:
Common adaptive MFA scenarios
New device detection
Challenge users only when they’re signing in from an unrecognized device:
Implementation:
Location-based policies
Apply different authentication requirements based on user location:
- Known locations: Allow without challenge
- New countries: Require MFA
- High-risk regions: Block or require strong authentication
Risk-based authentication
Create rules that consider multiple risk factors:
- User behavior: Login patterns, time of day, frequency
- Device characteristics: Known vs unknown devices, device type
- Network information: IP reputation, VPN detection
- Transaction context: Amount, recipient, frequency
Business-specific adaptive MFA
You can create rules based on your application’s specific data points. For example, challenge users only for high-value transactions:
Implementation:
Learn more about creating and using business-specific data in rules with custom data points.
Rule examples
Device and location combination
Transaction pattern analysis
Integration example
Financial transactions
Progressive authentication for different risk levels: