Autional logo
Tech 9 min #MFA#Security#AI

Adaptive MFA: Risk-Based Intelligent Authentication

Multi-factor authentication (MFA) is the first line of defense against account takeover, but the biggest problem with traditional MFA strategies is: they treat everyone the same.

An employee logging in from the same laptop, same IP, same city every day faces the exact same TOTP challenge as a user suddenly logging in from a strange device and a remote IP. The former finds it annoying; the latter may not have enough protection.

Autional’s Adaptive MFA was built to solve this very contradiction.

What Is Adaptive MFA?

Adaptive MFA, also known as Risk-Based Authentication (RBA), has a simple core idea:

Authentication strength should be proportional to the risk level of the current login.

The system computes a real-time risk score at each login attempt, then automatically selects the authentication strategy based on that score:

Risk LevelScore RangeAuth StrategyUser Experience
Low0 - 30Password only, skip MFAFrictionless, one-click login
Medium31 - 60Password + TOTP or SMS codeEnter 6-digit code
High61 - 85Password + Hardware Security Key (FIDO2) + SMSInsert hardware key + enter code
Critical86 - 100Deny login, trigger alertAccount temporarily locked

This is not a static rule — it’s dynamically computed. The same user logging in from the corporate network on a weekday morning might be low risk, but logging in from another country at weekend midnight becomes high risk.

Autional’s Risk Assessment Engine: 7 Dimensions

Autional’s Adaptive MFA engine doesn’t rely on a single signal but synthesizes information across 7 dimensions to build a risk profile:

1. Device Fingerprint (Weight: 25%)

Device Fingerprint: • Browser fingerprint  • OS version  • Screen resolution  • Installed fonts
                     • WebGL renderer  • Canvas fingerprint  • Hardware concurrency

First-time device → score +20. Device previously logged in successfully → score -10 (risk reduction). Autional embeds a lightweight JavaScript SDK on the login page that generates a device fingerprint and sends it with the request. Fingerprint hashes are stored in the known_devices table, protecting user privacy — we store hashes only, never raw fingerprint data.

2. IP Reputation (Weight: 20%)

IP Reputation Query: → Known proxy/VPN? → Datacenter IP? → Tor exit node?
                      → Failed login count from this IP in last 24h → GeoIP database match

Autional integrates an IP reputation database to query the risk labels of login IPs in real time. Proxy, VPN, and Tor exit nodes automatically receive risk score increases. It also maintains internal statistics: when failed login attempts from the same IP within 24 hours exceed a threshold, that IP’s risk score continues to rise.

3. Geolocation (Weight: 15%)

Geolocation Analysis: • Current login city vs. historical cities
                      • Physical distance / time delta between two logins → is it possible?
                      • Is the country on the admin-configured high-risk region list?

If a user’s last login was in Tokyo and they log in from New York 15 minutes later — physically impossible — the system automatically flags it as critical risk. Autional’s GeoIP resolution reaches city-level accuracy, and admins can configure high-risk countries and whitelisted countries in MFA policies.

4. Behavioral Pattern (Weight: 15%)

Behavioral Analysis: • Keyboard input rhythm (typing speed, key intervals)
                      • Mouse movement trajectory (acceleration, direction change frequency)
                      • Form filling order (Tab key usage, inter-field dwell time)

This is one of the most subtle yet effective signals. Even if an attacker steals the correct password and TOTP seed, mimicking the user’s typing rhythm and mouse movement patterns is extremely difficult. Autional’s lightweight behavioral SDK collects these patterns in the background and establishes a baseline using simple statistical models (rather than complex machine learning). Deviations exceeding 2 standard deviations from the baseline → risk score increase.

5. Time Factor (Weight: 10%)

Time Analysis: • Is the login time within the user's usual active hours?
                • Is it a weekend or holiday?
                • Time since last login (returning from vacation vs. abnormal activity spike)

Most users have regular activity patterns — Monday through Friday, 8:00 - 22:00. A login at 3 AM may not be an attack, but it should raise a higher alert. Autional maintains a per-user UTC-based active hour model that automatically adapts to users in different time zones.

6. Login Failure History (Weight: 10%)

In the past 30 minutes for this account: failures ≥ 3 → +15 points; failures ≥ 5 → +25 points; failures ≥ 10 → directly flagged as critical risk.

This dimension uses linear weighting because brute-force attacks have a very clear signature — rapid retries after consecutive failures.

7. Sensitive Operation Context (Weight: 5%)

Not all operations carry the same risk. Viewing a profile → low risk; changing a linked phone number → medium risk; deleting an account → high risk; transferring large funds → critical risk.

Autional allows admins to configure different risk thresholds for different API endpoints. The same user in the same session may require different levels of authentication to access different features.

Risk Scoring Algorithm

Total Risk Score = Σ (Dimension Score × Weight)
                  + Adversarial Bonus (accumulated for multiple near-threshold assessments)

Final Score Range: 0 - 100

Key design decision: the score leans conservative. When data for a dimension is unavailable (e.g., user disabled behavior tracking), the default score for that dimension is the median, not zero. Better to ask for one more verification step than to let someone through due to insufficient information.

Adversarial Bonus Mechanism

If an attacker tries once → triggers medium risk → enters TOTP. Second attempt → same device → if the device fingerprint looks normal → risk might decrease.

To prevent this kind of “slow probing” attack, Autional introduces an adversarial bonus: when multiple logins requiring MFA verification occur within a short time window (15 minutes), even if each individual risk score is below the threshold, the system accumulates a bonus score that gradually pushes the total higher.

MFA Policy Configuration: Full Control for Admins

Autional’s Adaptive MFA is not a black box. Admins can see the following in the mfa-service management console:

  1. Policy Templates: Three presets — “Loose” (UX-first), “Standard” (balanced), “Strict” (security-first)
  2. Custom Risk Thresholds: Score ranges for each risk level (low/medium/high/critical) are fully configurable
  3. Dimension Weight Adjustment: If an enterprise deploys hardware keys organization-wide, reduce device fingerprint weight; if employees travel frequently, reduce geolocation weight
  4. Whitelists & Blacklists: IP whitelist (office network), user group whitelist (admins), country blacklist
  5. Audit Logs: Detailed records for each risk assessment — each dimension’s score, which dimensions triggered increases, and the final decision
# MFA Policy Configuration Example
mfa_policy:
  name: "Enterprise Standard Policy"
  risk_thresholds:
    low: 30      # ≤30 skip MFA
    medium: 60   # 31-60 TOTP/SMS
    high: 85     # 61-85 hardware key
    critical: 100 # 86-100 deny
  dimension_weights:
    device_fingerprint: 25
    ip_reputation: 20
    geolocation: 15
    behavior_pattern: 15
    time_factor: 10
    login_failure_history: 10
    sensitive_operation: 5
  adversarial_bonus:
    enabled: true
    window_seconds: 900
    max_bonus: 25
  geo_rules:
    high_risk_countries: ["XX", "YY"]
    whitelist_countries: ["CN", "US", "SG"]
  ip_whitelist: ["10.0.0.0/8", "172.16.0.0/12"]

Real-World Results: Three Case Studies

Case 1: E-Commerce Platform

  • Volume: 500,000 daily logins
  • Before Adaptive MFA: All logins required TOTP, customer service reported poor login experience
  • After Adaptive MFA: Most logins assessed as low risk (MFA skipped), significantly improving user experience
  • Security incidents: No significant change in account takeover rate

Case 2: Financial SaaS

  • Volume: Low-frequency but high-value logins
  • MFA Policy: Used “Strict” template, high-risk operations (transfers, binding changes) additionally triggered hardware keys
  • Result: Effectively identified account takeover attacks — even with correct passwords and TOTP, attackers were blocked by hardware key requirements triggered by abnormal device fingerprints and behavior patterns

Case 3: Global Remote Team

  • Challenge: Employees distributed worldwide with different time zones, fixed MFA policies had extremely high false-positive rates
  • Solution: Enabled behavioral pattern and time factor dimensions; Autional automatically learned each employee’s active hours
  • Result: Precisely identified a social engineering attack — an attacker used the COO’s publicly available travel itinerary to attempt login during “business trip overnight.” The geolocation dimension detected an unusual city, triggering a high-risk assessment, and the attack failed

User Experience: How to Avoid User Friction

The ultimate enemy of security measures is not the attacker — it’s the user. If MFA is too cumbersome, users will find ways around it — using simple passwords, disabling MFA (if optional), or even switching to competitors.

Autional made three key design decisions for user experience:

1. Progressive Introduction Don’t force all users to enable MFA suddenly. First, run in “Loose” mode for a week, recording risk assessments without blocking. In the second week, start triggering TOTP for high-risk logins while leaving medium and low risk unchanged. Users gradually adapt without the resistance of “suddenly being blocked.”

2. Transparent Risk Prompts When medium-risk MFA is triggered, show a friendly message: “We noticed you’re logging in from a new device. To protect your account, please complete additional verification.” — explaining why MFA is needed makes users more willing to comply.

3. Remember Trusted Devices Users can check “Trust this device for 30 days.” During the trust period, the device fingerprint dimension is skipped for the same device, but other dimensions (IP, location, behavior) remain active. This balances security and convenience.

Future Direction: AI-Driven Continuous Adaptive Authentication

Autional’s Adaptive MFA currently assesses risk only at login time. In the next phase, we are exploring Continuous Adaptive Authentication:

  • In-Session Behavior Monitoring: After login, continuously analyze user operation patterns. If abnormal behavior suddenly appears (e.g., bulk data download, accessing never-before-used features), dynamically increase the risk score and require re-authentication.
  • Multi-Modal Biometrics: Combine keyboard/mouse behavior, touch gestures, and even signals from browser extensions to build a more accurate user profile.
  • Federated Learning: Train more accurate risk models across tenants without sharing raw data. Each enterprise’s data stays within its domain, but models can learn from global patterns.

The future of authentication is not “harder passwords” or “more CAPTCHAs” — it’s making authentication invisible to legitimate users while making it impossible for attackers to get through. That is the core philosophy of Adaptive MFA.

Autional’s Adaptive MFA engine is open source. Visit our GitHub repository for implementation details and integration documentation.

Return to all blog posts