Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Multifactor authentication (MFA) may be important for implementing zero trust to block unauthorized users from sensitive data, but it’s also extremely inconvenient. All too often, MFA forces trusted employees to jump through hoops with one-time passwords and passcodes before they can log in to the apps they need. 

However, new risk-based authentication approaches such as those released by Cisco Duo today aim to address the inconvenience of MFA by providing a login process tailored to each individual user. 

Cisco Duo can adjust authentication requirements for users in real time, based on contextual risk. The solution uses a machine learning (ML)-based risk analysis engine to dynamically assess risk based on user “signals” such as location, behavior, security posture of the device, Wi-Fi network and the use of known attack patterns. 

The idea is to enable low-risk users to log in with a simple authentication process that can meet the needs of a zero-trust environment, while giving high-risk users additional steps in the form of one-time passcodes or biometric login data to reduce the chance of breaches. 


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

Making zero trust practical with adaptive authentication

The announcement comes as the limitations of MFA become increasingly clear. For instance, last year, Microsoft’s Cyber Signals report revealed that just 22% of Azure Active Directory identities utilize MFA, instead choosing only to authenticate with a username and password. 

One of the reasons why MFA user adoption is low is that it offers a poor user experience. If an organization bombards users with too many steps to log in to every device and application, this can quickly become overwhelming, particularly on a day-to-day basis. 

Risk-based authentication aims to remedy this issue by keeping the logging process as light as possible, unless there are contextual factors that warrant a more extensive login process. In short, it offers a more practical way to implement zero trust than traditional MFA. 

“The three main zero-trust tenets are: never assume trust, always verify, and enforce least privilege,” said Jackie Castelli, director of product marketing for Cisco Secure. “Risk-based authentication (RBA) enables a friendly implementation of the zero-trust principles of ‘never assume trust’ and ‘always verify.'”

Cisco Duo will now assess risk and adjust authentication requirements based on the level of risk, rather than asking users to reauthenticate each time they request to access a resource, said Castelli. Likewise, it can also request phishing-resistant FIDO2 security keys or a biometric login if the connection is high risk. 

“In other words, RBA fulfills the zero-trust philosophy of continuous trust verification by assessing the risk level for each access attempt in a frictionless manner for users,” said Castelli. “Higher levels of authentication are requested only when there is an increase in assessed risk.”

Looking at the risk-based authentication market 

Cisco’s new update falls within the risk-based authentication market, which researchers valued at $3.2 billion in 2020 and anticipate will reach $9.4 billion by 2026 as more organizations look to make MFA user-friendly and implement zero trust.

One of the main vendors experimenting with risk-based authentication (also known as adaptive authentication) is Okta

Okta offers adaptive MFA that assigns a risk score to login attempts based on contextual cues like location, device and IP address to decide whether to add extra authentication steps like biometric login and fingerprints or one-time passcodes. 

Okta announced $481 million in revenue in the third quarter of fiscal 2023. 

Another company experimenting with adaptive authentication is Microsoft, which recently raised $52.7 billion in revenue and offers conditional access controls based on user, device, location and real-time risk data based on user behavior. High-risk connections can trigger additional MFA steps, access limitations or password resets to enforce zero trust.

But Castelli argues that Cisco’s risk-based authentication is differentiated from other vendors due to its focus on user privacy and its unique use of behavior signals. 

First, “it respects user privacy,” said Castelli. “The signals used to assess risk do not collect or store private information. It accurately evaluates a wide and innovative variety of signals. Some of those signals, such as Wi-Fi fingerprinting, are patent pending. Some other signals, such as attack patterns, come from Cisco’s Talos threat intelligence experience and expertise.”

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.