What is adaptive authentication and how does it work?

Adaptive authentication evaluates the risk of each login attempt and adjusts its requirements based on what it observes. It analyzes signals like device health, location, login behavior, and network reputation to determine whether to allow access, require additional verification, or block the attempt. AI and machine learning power this process by learning each user's normal patterns and flagging deviations.

How does risk-based authentication use AI to evaluate login attempts?

AI models train on an organization's login history to build behavioral baselines for each user. When a login attempt deviates from that baseline (an unusual device, unexpected location, or abnormal access pattern), the model scores the risk and triggers the appropriate response. This catches attacks that static rules miss, like valid credentials used in subtly abnormal ways.

How do I implement adaptive authentication for my organization?

Start by evaluating your current authentication setup: which systems use MFA, how policies are configured, and where gaps exist. Then identify a platform that supports adaptive risk-based authentication with real-time signal evaluation. Deploy in phases, beginning with high-risk applications and expanding as your team tunes the risk models to your environment.

What is the difference between adaptive authentication and traditional MFA?

Traditional MFA requires the same verification steps for every login regardless of context. Adaptive authentication uses MFA but decides when and how much to require based on real-time risk signals. A familiar device on a trusted network might need only one factor, while an unrecognized device triggers stronger verification. The result is stronger security with less unnecessary friction.

How does AI-powered identity verification prevent credential theft?

AI-powered verification detects when stolen credentials are being used by analyzing the context around the login attempt. Even if the username and password are correct, the AI evaluates whether the device, location, behavior, and timing match the legitimate user's patterns. Deviations trigger step-up authentication or block access, preventing attackers from using stolen credentials to gain entry.

Adaptive authentication: how AI secures access

When a user logs into a system with the correct username and password, they’re in, right? Not in systems using adaptive authentication. When the system detects an unusual signal coming from the user, it steps up, asking for stronger authenticators, effectively saying, “Prove you are who you say you are.”

This article explains how it works, what AI does under the hood, and why it matters for security teams.

Start your free Duo trial

Illustration showing adaptive authentication evaluating risk signals to determine verification level

Key takeaways

Security no longer stops at the network perimeter. Through a range of identity-based attacks, intruders may have “the keys to the building,” like usernames and passwords. Adaptive authentication uses AI to measure other signals at the point of login and beyond. It is the guard at the desk, looking at the person holding the key.

Identity-based attacks accounted for 60 percent of all Cisco Talos Incident Response cases in 2024, making smarter authentication a pressing priority.
Adaptive authentication strengthens computer security by adjusting requirements based on real-time risk signals like device health, location, login behavior, and network reputation.
AI and machine learning power this process by learning what “normal” looks like for each user and flagging deviations that static rules would miss.
For security teams, adaptive authentication reduces false positives and alert fatigue while strengthening protection against credential-based attacks.

What is adaptive authentication?

Authentication asks a user to prove their identity. Adaptive authentication uses AI to require stronger proof when the circumstances of a login seem suspicious or unusual. Unlike traditional authentication, which grants access once per login, adaptive authentication may ask again, or require different forms of proof, if it detects access from a different region, for example. Given enough risk factors, it may block access entirely.

How does adaptive authentication evaluate risk?

Every login attempt carries signals, like the user’s device, network, and location. Review a history of login records, and patterns emerge, like typical times of day, local networks, and the CMO who always forgets their password on the expenses portal.

Adaptive authentication looks for unusual patterns in these attempts:

Device posture: Is this a recognized, managed device? Are its patches current? Does it meet compliance standards?
Location: Is the user logging in from a location consistent with their history? If they authenticated in Chicago an hour ago, a login from Singapore is a risk.
Login behavior: Does this match the user's normal patterns? Unusual times, unusual frequency, or unusual sequences can indicate a compromised account.
Network reputation: Is the request coming from a trusted corporate network or a known VPN? Or from a Tor exit node or an IP address associated with botnet activity?
Authentication history: Has this user failed multiple login attempts recently? Have they triggered step-up authentication before?

Once it reviews these patterns, the authentication system assigns a risk score. Consider, for example, a security analyst logging into the organization's SIEM platform from her managed laptop on the corporate network at 9 AM on a Tuesday. The system recognizes the device, the location, and the pattern. Risk score: low. She authenticates with a password, plus MFA, and gets in.

Late that evening, the same credentials appear coming from an unrecognized device. The system scores this as high risk, requires phishing-resistant MFA, and alerts the security team.

Now, we can see why adaptive authentication is closely related to risk-based authentication.

How do AI and machine learning power adaptive authentication?

AI and machine learning make adaptive authentication possible because they learn from patterns rather than following static rules. Conditional “if X, then Y” rules can stop some attacks, but attackers have adapted to work around these basic constraints. They may use residential proxies to mask their location, compromise managed devices, or log in during business hours to blend in with normal traffic.

A machine learning model trained on an organization's login history builds a behavioral baseline for each user: devices, networks, behavior patterns, applications, and work habits. Intruders may be able to mimic some of these elements, but the security system can identify an unusual combination of signals for a user, even when each signal individually looks normal.

Say the CMO logs on using valid credentials from their personal laptop. When they make a beeline for the wire transfer app, something they have never touched before, a trained model can catch what a rule-based system misses.

Important note: AI and machine learning do not replace human judgment. These models score risk and make decisions. The security team sets the policies: what risk score triggers step-up authentication, what score blocks access, and what score generates an alert.

How does adaptive authentication compare to traditional authentication?

Adaptive authentication offers more scalability, security, and flexibility to IT and security teams while reducing friction in the end-user experience. Here is a comparison across four dimensions.

	Static authentication	Adaptive authentication
User experience	Same verification steps on every login regardless of risk	Adjusts requirements based on context. Minimal friction for low-risk logins, stronger verification when risk is elevated
Security strength	Applies uniform controls that miss context-dependent attacks	Evaluates multiple signals together to catch threats that look legitimate individually
Manual effort	Security teams manage rigid rules and triage high volumes of false positives	AI-driven risk scoring automates routine decisions and surfaces real threats
Scalability	Adding users or applications means more rules to maintain	Machine learning models adapt to new patterns without manual rule creation

What does AI-powered authentication look like in practice?

Two scenarios show how AI-driven risk scoring works in real environments:

Credential stuffing detection
An attacker uses a list of stolen username-password pairs to attempt logins across hundreds of accounts. Each individual attempt looks like a normal login. The AI model recognizes the pattern—rapid sequential attempts from a narrow IP range, hitting accounts that rarely log in at this time of day. It blocks the batch before any account is compromised and triggers a password reset on those accounts.
Unusual application access
A finance team member who normally accesses the accounting platform and email suddenly requests access to the source code repository at 11 PM. The credentials are valid. The device is recognized. But the behavioral baseline flags this as a significant deviation. The system requires additional verification and alerts the security team.

In each case, the AI evaluated multiple signals together rather than checking a single rule. That contextual scoring is what makes adaptive authentication effective against attacks designed to look legitimate.

Two looking at 2 computer monitors, thinking about the content on-screen

Why does adaptive authentication matter for security teams?

Static authentication policies create friction for users and security teams while failing to block certain attackers. Users face the same MFA prompts on every login regardless of risk. Security teams must field alerts triggered by rigid rules that cannot distinguish a real threat from a new coffee shop. Meanwhile, attackers who steal valid credentials walk through the front door because no rule flags a correct password on a recognized device.

Adaptive authentication addresses all three by evaluating the full context of each login:

Simpler security for users: Extra verification steps fatigue users and can even reduce vigilance. If they approve 10 or more MFA notifications per day, they may approve one from an attacker without thinking. By stepping up only when conditions change, adaptive authentication makes the prompt meaningful again. When it appears, the user notices.
Reduced false positives for security teams: An analyst should not have to investigate an alert because someone logged in from a coffee shop. The system evaluates device, location, and behavior together rather than triggering on a single signal. The result is a cleaner alert queue and more time spent on real threats.
Coverage for credential-based attacks: An attacker with a correct password and a recognized device looks legitimate to a rule-based system. But accessing a sensitive database for the first time at 3 AM is a behavioral anomaly. AI-driven risk scoring can flag the deviation that a static rule would never see.

The scale of the identity threat reinforces why this matters. Identity-based attacks accounted for 60% of the incidents Cisco Talos handled in 2024, and attackers used valid credentials for initial access in nearly 70% of ransomware cases. MFA issues, whether misconfigured, missing, or bypassed, appeared in over 40% of Talos Incident Response engagements in early 2025. A second factor alone is not enough; it needs context.

How does AI-driven risk scoring reduce false positives?

False positives include security alerts that flag unusual login behavior that does not represent any real risk. AI risk scoring considers the entire login context, rather than pinging the team based on one factor.

Consider two alerts in a security analyst's queue:

Alert one: A user logs in from a new IP address. Under a static policy, this triggers an alert. But the AI model shows the user recently traveled (via a calendar integration or recent pattern of logins), is using their managed device, and authenticated with their usual biometric. Risk score: low. The system allows access and logs the event but does not generate an alert.

Alert two: Three members of the same engineering team trigger minor behavioral anomalies within the same hour. One accesses a finance application for the first time, another downloads an unusually large file set, and the third authenticates from a device that was last seen on a different user's account. Individually, each anomaly scores low. The AI model correlates them and recognizes a pattern consistent with lateral movement from a single compromised entry point. It escalates all three to the analyst as a linked cluster.

Static rules may flag alert one and miss alert two. The AI model filters the noise and surfaces the real signal. For analysts managing hundreds of alerts per day, that difference determines whether a genuine threat gets investigated or buried in the queue.

Identity-based attacks by the numbers

The scale of credential-based threats explains why static authentication is no longer enough.

Where is adaptive authentication headed?

Adaptive authentication today evaluates risk at the moment of login. Continuous verification is next. These systems reassess trust throughout the entire session, identifying and scoring any risks that emerge. In other words, a user who authenticates normally but then behaves unusually mid-session should trigger an evaluation.

This evolution connects directly to identity threat detection and response (ITDR), a growing category that extends adaptive authentication into post-authentication monitoring. Adaptive authentication asks, "Should this user, in these circumstances, get in?" ITDR asks, "Is this user still who they claim to be, and are they doing what they should be doing?" Together, they create layered defense across the full session lifecycle.

Not all anomalies are as obvious as skipping across national borders. Security teams should expect more sophisticated AI models for detecting subtle patterns like browser navigation behavior and application usage. Device trust signals will get richer as endpoint health data feeds directly into risk scoring. Passwordless authentication will shift the security burden from "Is the password correct?" to "Is this the right person on the right device in the right context?"

Cisco Duo is building toward this future. Duo's capabilities already support several elements of continuous adaptive trust:

Dynamic routing rules that direct users to different authentication methods based on real-time risk context
Device trust evaluation that checks security posture as part of every access decision
Passwordless authentication with passwordless-only enforcement, reducing reliance on credentials attackers can steal
Breached password detection that flags compromised credentials before they are exploited
Granular enrollment policies that control which authenticators users can register, reducing the risk of an attacker enrolling their own device

Consider whether your system can grow into continuous verification. The organizations that build on platforms designed for session-level risk assessment will be better positioned as attackers shift their tactics from stealing credentials to hijacking authenticated sessions.