Adaptive MFA
Descope allows you to support adaptive MFA within your authentication flow. Adaptive MFA is a security mechanism that dynamically adjusts the authentication requirements based on various risk factors during a login attempt. Unlike traditional MFA, which consistently applies the same authentication steps (like a password and a secondary factor such as an OTP code), adaptive MFA assesses contextual information and only applies the secondary factor when certain conditions are met.
This guide covers how to implement adaptive MFA within your Descope flows.
Note
Check out our prebuilt adaptive MFA flows within our Flow Library for more examples.
Implementation
Adaptive MFA can be based on many different criteria, such as trusted device, impossible traveler, bad IP reputation, risk calculations, etc. This adaptability ensures that the MFA system can respond to a wide range of security threats, making it a robust and effective solution. Below are some examples of dynamic MFA with each of these items, as well as a combined version including multiple MFA triggers.
Note
These examples start with OTP via email and then progress to MFA with OTP via SMS. However, you could utilize other authentication methods for both the primary and secondary factors.
Trusted device
A trusted device in authentication allows users to bypass additional security checks (like MFA) on pre-approved devices. These devices are recognized by unique identifiers or behavioral patterns and marked as safe for future logins. Trusted devices improve security and convenience by adding an extra layer of assurance while reducing user friction.
To implement trusted device within Descope flows for adaptive MFA, you will prompt the user whether they'd like to trust
(remember) the device and then utilize the Mark Device as trusted action.
Then, on subsequent logins, you can check if the device is trusted by adding a condition to check if the device is trusted, and trigger MFA if the device is not trusted.
Impossible Traveler
The impossible traveler scenario in authentication occurs when a user attempts to log in from two geographically distant locations in a short time, making it physically impossible for the person to travel between them. Descope allows you to check for this anomaly and handle user authentication differently: block or trigger MFA to verify the user.
To implement impossible traveler within Descope flows, you will utilize a condition to check for the impossible traveler scenario and then trigger MFA in the event of an impossible traveler scenario.
IP reputation
IP reputation is calculated based on known malicious activity, frequency of suspicious requests, and involvement in botnets or attacks. If an IP has a poor reputation, Descope allows you to configure adaptive MFA to trigger Multi-Factor Authentication (MFA) to add an extra layer of security before allowing access from that IP.
Note
This use case depends on an IP reputation connector such as Abuse IPDB.
Once you have configured an IP risk calculation connector such as Abuse IPDB,
add the action to the flow by clicking the blue + in the top left corner, navigate to connectors, then search for
the connector action and add it to the flow in the correct location.
The condition for the use case of checking IP reputation within this flow would look like the below.
Combined Use case
You may want a combined use case that utilizes multiple tiers of risk analysis within your Descope flow. Below, you can see a combined flow that implements the detailed adaptive MFA use cases above (Trusted Device, Impossible Traveler, and IP Reputation) into a single flow.
Other Risk Calculations and Connectors
For further adaptive MFA configurations, you can utilize additional risk-based conditions in your flow. You can use built-in Descope riskInfo functions, and/or risk details collected via Connector within your adaptive MFA conditions.
Check out our Fingerprinting guide for more details.