Adaptive Risk-Based Authentication.
Authentication policy that varies the required factors and friction based on risk signals — device, location, behavior, time-of-day, recent breach data — rather than applying a uniform challenge to every login.
Adaptive auth and step-up auth are often conflated — adaptive is the broader pattern (variable friction based on risk), step-up is one specific outcome (requiring an additional factor on a high-risk action mid-session). Adaptive auth doesn't replace mandatory MFA for production deployments; it complements it by adding friction where the model says risk is unusually high, not by reducing the floor.
Common questions
What's the difference between adaptive and step-up authentication?
Which signals matter most for adaptive auth?
Can adaptive auth replace mandatory MFA?
Related terms
In the guides
Account Takeover Defense: A Layered Approach for 2026
ATO is the single largest CIAM threat in 2026. The defense stack is layered, credential stuffing protection, MFA, session management, and recovery design, each addressing a different attack class.
Adaptive Risk-Based Authentication: Decisioning at Login
Adaptive auth scores each login against risk signals, device, geo, velocity, behavior, and challenges only when the score warrants. Patterns and where vendors diverge.