Adaptive authentication
Adaptive authentication adjusts security requirements based on real-time risk. Instead of always requiring the same steps, SecureAuth Connect evaluates signals like device, location, and behavior, and only prompts for additional factors when risk is elevated.
Risk Engine and LOA scoring
The Risk Engine evaluates each authentication request by running multiple risk analyzers that score signals across three domains:
| Domain | What it analyzes |
|---|---|
| Device | Device Browser Fingerprint (DBFP) collects 30+ device attributes to create unique fingerprints. Browser Trust uses AI/ML to learn login patterns and device usage over time. |
| Location and network | Geo-IP assesses risk based on IP reputation, login frequency, impossible travel detection, and VPN/Tor/proxy detection. Trusted IP and Trusted Location analyzers learn typical usage patterns by time of day. |
| Behavior | User-based and group-based time anomaly detection uses AI/ML to track individual and group login patterns, producing Application Trust Risk Scores and Known Time Group (KTG) Scores. |
Each analyzer produces a score (0–100), weighted by importance. These combine into a Level of Assurance (LOA) score that represents how confident SecureAuth Connect is that the user is who they say they are.
You set an LOA threshold in the identity pool Low (30%), Medium (60%), or High (80%). When the LOA score falls below this threshold, SecureAuth Connect triggers MFA. When the score is above the threshold, trusted users on recognized devices sign in without an additional factor, reducing friction while maintaining security.
Authentication policies
Use authentication policies for more control. Define rules that trigger based on conditions such as:
- Overall LOA score range
- Directory group membership for the user
- Source IP address or country
- Time of day or day of week
- Impossible travel or timezone mismatch
- Device type or workstation security state
Each policy rule maps a condition to an action:
| Action | Description |
|---|---|
| Automatically Approve | Approve the authentication request and skip MFA. |
| Automatically Reject | Reject the authentication request and block user access. |
| Force Out Of Band | Override all current rules and force the user to complete MFA. |
| Adjust LOA Score | Increase or decrease the LOA score for the user. |
When multiple policies apply, actions are prioritized: Reject overrides all, then Force Out Of Band, then Approve.
New users and unrecognized devices start with lower LOA scores. As SecureAuth Connect learns consistent, safe behavior, trust increases and MFA prompts decrease over time.