Adaptive authentication: are your controls keeping up with risk?

TL;DR: Adaptive authentication uses real-time risk signals such as location, behaviour, device history, and resource sensitivity to vary authentication decisions, according to 1Kosmos. The model reduces friction for trusted users, but it also shows that static login checks are weak when account compromise, phishing, or anomalous access patterns are already in play.

NHIMG editorial — based on content published by 1Kosmos: Adaptive authentication, risk factors, and passwordless security

By the numbers:

• 1Kosmos says its identity proofing works with over 99% accuracy.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

Questions worth separating out

Q: How should security teams implement adaptive authentication without creating excessive user friction?

A: Start by using low-friction step-up only when the risk signal is strong enough to justify it.

Q: Why do static login checks fail against account compromise?

A: Static login checks only verify that a credential is valid at one moment in time.

Q: What do teams get wrong about risk-based authentication?

A: They often assume risk-based authentication is the same as strong identity governance.

Practitioner guidance

• Map adaptive decisions to explicit policy thresholds Define which signals trigger allow, step-up, deny, and manual review.
• Separate authentication strength from authorization scope Use adaptive authentication to decide who can enter, but keep entitlement reviews, least privilege, and privileged access controls responsible for what the identity can do after entry.
• Instrument real-time telemetry for identity risk Feed device posture, geography, behavioural anomalies, and resource sensitivity into the decision engine.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Examples of how risk profiles change from low to high-risk access requests.
• The specific biometric, PIN, and SMS challenge patterns used in adaptive authentication flows.
• How identity proofing, SIM binding, and passwordless controls are positioned inside the broader access model.
• The vendor's implementation framing for cloud-native APIs, SDKs, and integration coverage.

👉 Read 1Kosmos's analysis of adaptive authentication and passwordless security →

Adaptive authentication: are your controls keeping up with risk?

Explore further

View Full Forum →  |  NHI Foundation Course →