What is adaptive multifactor authentication (adaptive MFA)?

Imagine it’s a sunny autumn morning and you decide instead of setting up at the workstation in your office you want to work remotely from the café that just opened downtown. You order coffee, pull out your laptop and begin to log in to your company dashboard. The system instantly recognizes that you’re using a new wifi network along with a device you’ve never registered before. Instead of a blunt “access denied,” you receive a single, context‑aware prompt for a fingerprint scan.

In this situation, an extra layer of security appears because the risk is higher than normal. That seamless “as-needed” protection is the heart of adaptive multifactor authentication (A-MFA). This risk-based authentication is a smarter way to bolster your security posture while not sacrificing convenience. 

According to the IBM 2025 Cost of a Data Breach Report, the average breach now costs USD 4.4 million. This fact alone underscores why organizations can’t afford to use the same basic defenses for every user. With the rise of phishing attacks composed by artificial intelligence (AI), MFA solutions should be a minimum requirement for security. Fortunately, there are many options for implementing A-MFA, such as Auth0 and Duo. In this article, we’ll explain how adaptive MFA gauges risk in real time. We’ll also explore the use cases where it thrives and provide you with a foundational understanding needed to decide where it fits in your security framework.

By now, most of us have used multifactor authentication (MFA) at one point or another. MFA adds extra security requirements to your accounts by requiring you to prove your identity by using additional authentication methods. Like single sign-on (SSO) and two-factor authentication (2FA), MFA falls under the authentication pillar of identity and access management (IAM). Instead of the traditional method of just relying on a password, you’ll typically need two or more factors to log in. These factors fall into three main categories:

1. Something you know, such as a password or the answer to a security question.
   
   
2. Something you have, such as a smartphone, a security token or even a physical key (think a Yubi key on a USB drive).
   
   
3. Something you are—specifically, biometric data from a fingerprint or facial scan.

For example, you might be asked to enter your password (knowledge), then an SMS code is sent to your phone (something you have), or to scan your fingerprint (something you are). By combining these factors, MFA makes it much harder for unauthorized users to access your accounts, even if your password has become compromised. Now combine this approach with a system that applies additional security measures only when it senses a greater security risk, and you have the essence of adaptive MFA.  

Think of adaptive MFA as a supercharged step-up from traditional MFA. Invented by Abhijit Kumar Nag and Dipankar Dasgupta, this protective measure takes traditional MFA one step further. It uses contextual information from the user’s daily patterns to evaluate the risk level associated with a specific login attempt. If the risk level for a specific user login attempt is above a predetermined threshold, it will be seen as a triggering event. 

Adaptive MFA allows system administrators to rank triggering criteria based on several factors including user roles and company assets. Take the example that we used earlier, when you log in to a company dashboard from a café. If you’ve never been there before, it might be seen as a triggering event. However, if you go there often enough and around the same time, it probably won’t be viewed as a triggering event. Alternatively, if someone attempted to access your company’s dashboard by using your credentials in a country halfway around the world the next day at an odd time, it would almost certainly display warnings. This demonstration shows what adaptive MFA is all about: understanding the patterns of a specific user and applying extra measures only for security when something seems suspicious or out of the norm. In the next section, we will talk about traditional MFA functions and how they differ from adaptive MFA.

Adaptive MFA is a lot like traditional MFA with some added advancements to keep your sensitive data safe and secure without sacrificing usability. Below we’ll cover the steps of adaptive MFA and how it works.

A user attempts to log in to a system (for example, a company dashboard, application and more) by entering a username and password, or a passkey. The system begins validating these credentials against the credentials it has stored.

This is the step that sets adaptive MFA apart from traditional MFA. Whereas traditional MFA simply requires a second factor of authentication, adaptive MFA analyzes the risk level and then determines the appropriate level of authentication for that risk.

It begins by collecting and comparing data from the current login or access request to data from previous logins or access requests. The data can nclude:

• Location: Is this area a familiar geolocation for this user or one in a different city or even country?
  
  
• Device or device type: Is this device a company device or one that is personally owned? Is this device the usual one used to log in, or a new device? Is the login being attempted from a mobile phone when the user typically logs in from a laptop?
  
  
• Time of day: Are these normal working hours when this employee normally logs in or is this time frame odd?
  
  
• User behavior: What is the user attempting to gain access to while accounting for the combined factors noted previously?
  
  
• Network: Is this network part of a company, private or public IP?
  
  
• Historical data: All previous login information for this user is stored and held against the current login attempt.

A risk scoring system weighs the results and assigns a level of risk to this login attempt. For example, a login from a different country on a new device during non-work hours from an unrecognized IP address might be assigned a high level of risk.

The risk score results in a context-specific authentication response. This could include:

• Standard MFA trigger (low risk): This could be a one-time password (OTP) sent to a user’s mobile device through a push notification or an authenticator app like Google or Microsoft Authenticator.
  
  
• Enhanced MFA trigger (medium risk): Here the system might apply a more rigorous method to authenticate, such as biometrics (facial or fingerprint scans) or security questions or knowledge-based authentication (questions about the specific user’s history).
  
  
• Immediate block and alert (high risk): In high-risk instances the system might immediately block the attempted login and notify the organization’s security department.

A-MFA systems continuously monitor each user’s activity and behaviors to better identify anomalies over time. Increasingly, A-MFA systems are adopting machine learning algorithms to learn from a user’s past login or user access attempts The more login attempts the system encounters the more adept it will become at identifying valid and suspicious attempts.

Organizations adopt adaptive MFA for several reasons, including:

• Greater level of control for system administrators: A-MFA systems allow administrators the ability to ramp up or lessen the number of authentication requirements based on the sensitivity of the asset, and/or the role of the person trying to access the asset.
  
  
• Optimal usability without sacrificing security: A-MFA allows for fluidity in its authentication demands so that security matches the situation and is not a hindrance to the user experience.
  
  
• Enhanced overall resiliency: Adopting A-MFA as part of a zero-trust security approach immediately strengthens security and significantly reduces the risk of data breaches from attacks like phishing.