Skip to main content

Adaptive authentication login

Adaptive Authentication High level Flow
  1. The user wants to access the (web) application.
  2. First authentication factor (username/password) is required.
  3. Upon successful first factor verification Nevis automatically collects, parses and assesses various signals from the current users' context:
    • Their current location (geo-location), using IP2location service.
    • Their traveling distance (geo-velocity), if they did sign-in previously from other locations.
    • Their device, with advanced fingerprinting.
    • Their source IP reputation, based on external IP reputation services.
  4. A comprehensive risk score calculation and evaluation is being performed.
  5. Based on the risk score calculated & the risk profile settings (configurable!) there could be:
    1. low risk → no extra step is needed
    2. medium risk → a silent email notification is sent (with the option to distrust the session)
    3. high risk → a second factor (email TAN) authentication is required as a step-up
  6. The user is authenticated and access is granted to the App.

How does adaptive authentication work?

Detecting if I really am who I claim to be happens during login. While I am logging in, the Nevis risk engine evaluates how high the risk is that someone else is trying to impersonate me and take over my account.

In the usual scenario of adaptive authentication, if the risk score surpasses a certain threshold and flags a high risk for account take-over, the user is asked to present an additional authentication factor.

With nevisAdapt you have the freedom and power to fully configure your risk engine. You can decide which of the contextual and/or temporal signals the risk engine should take into consideration, how these signals should be weighed, what the thresholds should be, and what actions should be triggered if an authentication attempt is flagged as risky. With that being said, configuring, and fine-tuning a risk engine is a highly sophisticated task which requires specialist know-how.

Therefore we have developed and tested two risk engine profiles with pre-configured signals and weights as well as pre-configured behaviours which will be triggered depending on the risk score a specific authentication attempt receives.

nevisAdapt risk engine profiles

Behavior depending on risk score

The balanced and the strict risk engine profiles have different thresholds when it comes to defining “medium”, and high” risk scores. This means that for a user scenario where with the balanced profile enabled, a user would be authenticated as usual, the same user scenario with the strict profile enabled, would trigger a notification or even a step up.

To give you an impression about the fine-tuning of the risk engine we did for the two profiles, you can find some common user scenarios and the behavior this would trigger according to the balanced and strict risk engine profile.

Adaptive authentication scenarios

Simple Events

Besides the sophisticated and advanced risk engine of nevisAdapt which can be fine-tuned down to the smallest detail for your specific use cases, we have also developed a somewhat simpler, but nonetheless, highly-effective, rule-based risk engine.

Simply choose from pre-defined events and decide on the desired behavior that should be triggered with “if-then” rules and you are good to go.

nevisAdmin 4 Simple Events - pattern

Below you can find a few technical use cases where your needs towards adaptive authentication could already be satisfied by using “simple events” in nevisAdmin 4.

You can trigger a step-up, send an email notification or block your user if for example they try to sign in from:

  • a specific country (you decide which countries should be on that list)
  • a new device
  • a new location
  • a new IP
note

Everything you can do with simple events you can also do with custom risk profiles with nevisAdapt.