TL;DR: Adaptive authentication uses real-time risk signals such as location, behaviour, device history, and resource sensitivity to vary authentication decisions, according to 1Kosmos. The model reduces friction for trusted users, but it also shows that static login checks are weak when account compromise, phishing, or anomalous access patterns are already in play.
At a glance
What this is: Adaptive authentication is a risk-based identity control that changes verification requirements in real time based on user, device, and session signals.
Why it matters: It matters because IAM teams need controls that respond to context across human access, NHI trust boundaries, and emerging autonomous workflows instead of treating authentication as a single event.
By the numbers:
- 1Kosmos says its identity proofing works with over 99% accuracy.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
👉 Read 1Kosmos's analysis of adaptive authentication and passwordless security
Context
Adaptive authentication is a dynamic approach to identity verification that changes the challenge level based on live risk signals instead of relying on a fixed login rule set. For IAM teams, the core issue is not whether the first login succeeds, but whether the control can still distinguish legitimate access from compromised access once behaviour changes mid-session.
The governance problem is broader than human login friction. The same risk-based logic is now being borrowed for machine identity, workload access, and agent-mediated workflows, which means the control must be understood as part of a wider identity programme rather than a standalone MFA enhancement.
Where identity trust is inferred from context, the deciding question becomes what the system assumes about the subject and the session. That assumption is exactly what attackers try to break with stolen credentials, abnormal access paths, and synthetic behaviour.
Key questions
A: Start by using low-friction step-up only when the risk signal is strong enough to justify it. Keep trusted device and behaviour paths simple, but require stronger verification when the context changes materially. The goal is not to challenge every user, but to reserve friction for access that looks unusual, high value, or inconsistent with the identity's normal pattern.
Q: Why do static login checks fail against account compromise?
A: Static login checks only verify that a credential is valid at one moment in time. If the password, token, or session is already stolen, the attacker can often pass the first gate. Adaptive authentication adds value because it keeps re-evaluating context, so the same access attempt can be treated differently when location, device, or behaviour no longer fit the expected pattern.
Q: What do teams get wrong about risk-based authentication?
A: They often assume risk-based authentication is the same as strong identity governance. In reality, it is a decision layer at the front door. It can reduce exposure from suspicious access, but it does not fix privilege sprawl, poor lifecycle management, or excessive entitlements inside the account once access has been granted.
Q: When does adaptive authentication need to be paired with Zero Trust Architecture?
A: It should be paired with zero trust whenever access decisions need to reflect context continuously rather than once at login. Zero trust supplies the broader assumption that no request is trusted by default, while adaptive authentication provides the mechanism for varying the challenge level based on live signals. Together they are stronger than either control alone.
Technical breakdown
How risk scoring changes authentication decisions
Adaptive authentication evaluates contextual signals such as location, device posture, prior behaviour, and the sensitivity of the target resource before deciding whether to allow access, step up verification, or deny the request. Unlike fixed MFA, it treats authentication as a decision process rather than a binary gate. The control can be rule-based, model-based, or hybrid, but its job is always the same: translate live risk into an access outcome. In practice, that means the quality of the signal pipeline matters as much as the authentication factor itself.
Practical implication: IAM teams need clear policy logic for which signals trigger step-up, denial, or manual review.
Why real-time assessments matter after credential compromise
Real-time assessment is the difference between reacting to the moment of access and reacting after an account has already been abused. If a password or token is stolen, a login flow that only checks static credentials has already failed conceptually. Adaptive systems try to re-evaluate each request against fresh context, which helps when the same account suddenly appears from a new location, device, or usage pattern. The technical value is not prediction alone, but continuous reclassification of trust as conditions shift.
Practical implication: teams should tie adaptive decisions to live telemetry, not to periodically refreshed user profiles.
Adaptive authentication in zero trust and NHI programmes
Adaptive authentication is often used as an input to zero trust architecture because zero trust assumes that identity, device, and network location cannot be trusted by default. That same logic becomes relevant for non-human identities, where service accounts and tokens often operate without human-style login prompts. For NHI governance, the challenge is that the authentication event may be invisible to the operator while the access path remains highly privileged. The mechanism works only when the trust decision is aligned to the identity type and its actual runtime behaviour.
Practical implication: align adaptive policy design with identity type, especially for service accounts, APIs, and workload access.
NHI Mgmt Group analysis
Adaptive authentication is a trust re-evaluation control, not a complete identity security strategy. The article correctly describes risk-based step-up, but the deeper governance issue is that the control only changes how access is challenged at the moment of authentication. It does not by itself solve credential theft, session abuse, or over-privileged access paths. Practitioners should treat it as one layer in a broader identity control stack, not as a substitute for entitlement hygiene.
Static authentication assumptions break down as soon as access context becomes the security signal. Traditional login models assume that credentials are the main proof of identity and that a successful authentication meaningfully establishes trust. That assumption weakens when devices, locations, behaviour patterns, and request sensitivity all shape the decision. The implication is that identity governance must move from one-time proof to continuous trust evaluation across the full access lifecycle.
Context-aware authentication is becoming a shared pattern across human, NHI, and agentic access. The same logic that detects unusual human logins is now being extended to machine identity and autonomous workflows, which means IAM programmes need common policy language for all three actor types. That does not mean the controls are identical. It means the governance model must understand which identity subject is being challenged and what “normal” really means for that subject.
Zero trust succeeds only when adaptive controls are paired with entitlement control. Adaptive authentication can stop suspicious access attempts, but it cannot correct the blast radius of accounts that already have too much privilege. In NHI-heavy environments, that gap is especially visible because access often runs unattended. Practitioners should therefore judge adaptive authentication as a front-door control, not a lifecycle or authorization control.
Real-time risk scoring creates a governance obligation to explain why access was allowed. Once decisions are dynamic, security teams need enough policy transparency to support investigation, audit, and exception handling. That is as true for human access as it is for machine credentials and emerging AI-driven workflows. The practical conclusion is that adaptive systems need accountable policy design, not just better challenge mechanisms.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- Forward pivot: If adaptive authentication is part of your NHI strategy, read Top 10 NHI Issues to see where authentication controls stop and lifecycle governance begins.
What this signals
Adaptive authentication will matter most where identity risk is already high and access paths are already dynamic. The control is useful, but it should be treated as a response to exposure, not evidence that the environment is under control. Teams that rely on it should also review whether their identities are still carrying more privilege than they need, especially where service accounts and shared access patterns are involved.
Risk-based authentication is becoming a bridge control across human, NHI, and emerging agentic access. That creates a programme design challenge: the policy language must be consistent enough to govern different identity types, but specific enough to reflect how each type behaves. If your current access model cannot distinguish a human login from a workload credential or an automated session, your adaptive policy will be too blunt to trust.
Identity programmes should now distinguish between suspicion management and access governance. Adaptive authentication helps with the first part, but entitlement scope, offboarding, and credential lifecycle still determine the size of the blast radius. For readers building out a broader programme, the next step is to align adaptive decisions with lifecycle controls and machine identity governance, not to treat it as a standalone fix.
For practitioners
- Map adaptive decisions to explicit policy thresholds Define which signals trigger allow, step-up, deny, and manual review. Keep the threshold logic auditable so security, IAM, and fraud teams can explain why the same identity was treated differently across sessions.
- Separate authentication strength from authorization scope Use adaptive authentication to decide who can enter, but keep entitlement reviews, least privilege, and privileged access controls responsible for what the identity can do after entry.
- Instrument real-time telemetry for identity risk Feed device posture, geography, behavioural anomalies, and resource sensitivity into the decision engine. If the risk signal arrives late, the control becomes a log viewer instead of a live defence.
- Apply different policy models for human and non-human identities Do not reuse human login assumptions for service accounts, API keys, or workload identities. For machine access, focus on token exposure, session scope, and downstream privilege rather than user-style prompts.
Key takeaways
- Adaptive authentication improves access decisions by using real-time risk signals, but it does not replace broader identity governance.
- The evidence base remains stark: 72% of organisations say they have experienced or suspect a non-human identity breach.
- Practitioners should pair context-aware authentication with entitlement control, lifecycle governance, and identity-specific policy design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Adaptive authentication supports dynamic identity assurance at login and step-up. |
| NIST Zero Trust (SP 800-207) | ID.AM-1 | Zero trust requires identity-aware access decisions based on context and risk. |
| NIST SP 800-63 | Risk-based identity assurance aligns with assurance decisions in digital identity flows. |
Combine adaptive authentication with continuous verification for every sensitive access path.
Key terms
- Adaptive Authentication: An authentication approach that changes verification requirements based on live context such as device, location, behaviour, and resource sensitivity. It is designed to reduce friction for trusted access while increasing scrutiny when risk indicators suggest compromise or abnormal activity.
- Risk-Based Authentication: A method of access control that scores a request and chooses the next step from that score, such as allowing access, adding a challenge, or denying entry. In mature IAM programmes, it sits between identity verification and entitlement decisions, not in place of them.
- Step-Up Authentication: An additional verification step applied when an access request looks unusual or high risk. It is commonly used to preserve usability for low-risk sessions while forcing stronger proof of identity when the context changes enough to raise concern.
- Zero Trust Architecture: An access model that assumes no request should be trusted simply because it comes from inside the network or from a previously known identity. It requires ongoing verification, context awareness, and least-privilege access decisions across human and non-human identities.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by 1Kosmos: Adaptive authentication, risk factors, and passwordless security. Read the original.
Published by the NHIMG editorial team on 2023-01-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
