Subscribe to the Non-Human & AI Identity Journal

Dynamic Friction

Dynamic friction is the practice of adding more user challenge only when risk rises. Rather than forcing every user through the same experience, the system adapts its response to context, which helps preserve conversion while still reducing fraud exposure in higher-risk scenarios.

Expanded Definition

Dynamic friction is a risk-based control pattern used in digital identity, fraud prevention, and session protection. It intentionally increases user challenge only when signals suggest elevated risk, such as device anomalies, impossible travel, unusual transaction patterns, or repeated failed authentication. The goal is to preserve low-friction access for ordinary interactions while making abuse more expensive when context changes.

Unlike static step-up authentication, dynamic friction is not limited to a single fixed trigger. It can include additional verification steps, delayed actions, CAPTCHA-style checks, transaction confirmation, or tighter session controls. In practice, the term is still used somewhat loosely across vendors, so definitions vary across vendors and no single standard governs this yet. The closest governance alignment is the risk-based decisioning model reflected in NIST Cybersecurity Framework 2.0, especially where organisations tailor controls to current threat conditions.

For identity and fraud teams, the distinction matters: dynamic friction is a response strategy, not a complete identity assurance model. It depends on signals, policy thresholds, and enforcement logic that must be tuned continuously. The most common misapplication is treating all extra verification as dynamic friction, which occurs when teams apply the same challenge to every user regardless of observed risk.

Examples and Use Cases

Implementing dynamic friction rigorously often introduces a tradeoff between user convenience and abuse resistance, requiring organisations to weigh lower abandonment against stronger control at the point of risk.

  • A banking app allows routine balance checks without interruption, but prompts for reauthentication and transaction confirmation when a payment deviates from the customer’s normal device or geography.
  • An e-commerce platform permits standard checkout flows for trusted sessions, then adds step-up checks when the account shows signs of credential stuffing or unusual cart behaviour.
  • An identity verification workflow relaxes challenge levels for low-risk returning users, but increases verification depth when signals suggest synthetic identity fraud or account takeover.
  • A SaaS platform delays access to sensitive admin actions until a live session is revalidated after inactivity, suspicious login patterns, or an untrusted network context.
  • A fraud operations team tunes decision thresholds so that friction is introduced only when multiple signals align, rather than punishing every borderline event.

This approach is closely related to risk-based authentication and adaptive access decisions described in NIST SP 800-63B, where authentication requirements should match the assurance needed for the transaction or session.

Why It Matters for Security Teams

Security teams care about dynamic friction because it directly shapes the balance between fraud loss, account takeover resistance, and customer drop-off. If implemented poorly, it can either block legitimate users too often or fail to challenge attackers at the moments that matter. That makes policy tuning, telemetry quality, and escalation logic central to the control. In identity-centric environments, dynamic friction often becomes part of a broader adaptive access strategy that complements MFA, session risk scoring, and privileged action approval.

The governance challenge is that the system must remain explainable enough for operations teams to understand why a user was challenged. When friction is driven by opaque signals or inconsistent thresholds, false positives rise and help desk load increases. Where identity proofing is involved, organisations also need to ensure the added challenge is proportionate to the assurance level and the data being protected. Guidance from the NIST Digital Identity Guidelines is useful here because it frames authentication and proofing as risk- and assurance-driven decisions rather than one-size-fits-all gates.

Organisations typically encounter the full operational impact of dynamic friction only after fraud losses, login abuse, or customer complaints spike, at which point the control becomes unavoidable to tune and defend.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA Risk-based identity controls align with adaptive authentication and verification decisions.
NIST SP 800-63 AAL2 Assurance levels inform when extra authentication should be required for higher-risk actions.
NIST AI RMF Risk management guidance supports monitoring and adapting AI-driven decisioning used for friction.
OWASP Non-Human Identity Top 10 NHI-driven sessions may need adaptive checks when service identity risk increases.
NIST Zero Trust (SP 800-207) 3.3 Zero trust decisions continuously re-evaluate trust based on context and risk.

Tie friction triggers to current risk signals and document how access responses change by context.