Ory logo

Security without the hassle: The power of adaptive authentication

Learn how adaptive authentication balances strong security with a great user experience by using "step-up" verification only when it's needed. This approach helps prevent "MFA fatigue" and protects against modern threats.

Ory network
Ory logo
The Ory Team

Authentication
Sep 17, 2025

What is Adaptive Authentication?

Think of adaptive authentication as a smart security guard for your digital accounts. Instead of asking everyone for the same ID every single time, it looks at a bunch of real-time clues to figure out how risky a login attempt is. If everything looks normal, it lets you in quickly. But if something seems off—like you're logging in from a new country or device—it'll ask for an extra layer of verification, like a code sent to your phone, to make sure it's really you.

Security is all about layers, a concept that's been around forever. Think about a physical building, like where you might work. You probably have a fence around the property, a security guard at the entrance, locked doors, and key cards to get to different floors or elevators. You might even have cameras watching for anything suspicious.

Each of these is a separate layer of security. The idea is that even if a bad guy gets past one layer, like hopping the fence, they still have to get past the next—and the next—making it much harder to get inside. It's the same principle for digital security.

What are common attributes reviewed for adaptive authentication?

These are the clues an adaptive authentication security guard looks for:

  • User Behavior: Is the user logging in at an unusual time of day?
  • Location: Is the user trying to access the system from an unexpected geographic location? (e.g., logging in from the U.S. and then an hour later from Australia).
  • Device: Is the device being used associated with your user, or is it a new device?
  • Network: Is the user on a trusted network (e.g., company's Wi-Fi) or a public one?

Adaptive authentication risk levels

Based on the risk assessment, the system can take one of three actions:

  • Low Risk: The user is granted access with minimal friction. For instance, if you are logging in from your usual device at home, you might only need a password.
  • Medium Risk: The user is prompted for an additional layer of verification, also known as a "step-up" authentication. This could be a one-time password (OTP) sent via SMS, a push notification to their phone, or a biometric scan. This is a form of multi-factor authentication (MFA) that is triggered only when needed.
  • High Risk: The user's access is blocked entirely to prevent a potential security breach.

Why adaptive authentication?

Adaptive authentication is all about getting the best of both worlds: strong security without the hassle.

For a legitimate user like you, it means you're not constantly bombarded with extra security questions or multi-factor authentication (MFA) prompts. You can log in quickly and easily from your usual devices and locations. This helps fight MFA fatigue, which is that feeling of being annoyed by too many security steps.

From a company's perspective, it's a dynamic way to protect against modern threats like credential stuffing and phishing. It's a key part of a "zero trust" model, where the system never blindly trusts any user and instead verifies every single login attempt based on the risk level.

What can Ory offer around adaptive authentication?

Ory allows you to automate system behavior by using "hooks" that trigger responses to specific user-related events. It is a flexible way to integrate with third-party services and customize user workflows. This step-up authentication can be configured to run before or after key events like user registration, login, anomalous behavior, account recovery, location inconsistencies, and device or settings changes.

For example:

  • A "before registration" hook could be used to verify a user's eligibility, such as checking if they have an invite code.
  • An "after registration" hook could automatically add a new user to your company's mailing list or create an account for them in another system.
  • A “before login” hook could check an IP address and ensure it’s from a valid domain.
  • An “after login” hook could check the location to ensure the user is from a reasonable location after the last successful login.

The actions can be tailored to specific authentication methods (e.g., password, OIDC), overriding the default behavior for a flow.

Adaptive authentication is a great way to increase security while reducing user friction.

Learn more about Ory

Further reading

3D abstract image
June 12, 2025

How a redirect broke login with Apple for a full day

Aeneas Rekkas
Aeneas Rekkas

How Apple broke "Sign in with Apple" with an unannounced and silent redirect

3d representation of the Ory and Cockroach partnership
Artificial Intelligence
June 12, 2025

The future of Identity: How Ory and Cockroach Labs are building infrastructure for agentic AI

Lani Leuthvilay
Lani Leuthvilay

Ory and Cockroach Labs announce partnership to deliver the distributed identity and access management infrastructure required for modern identity needs and securing AI agents at global scale.

<- Back to Blog