Adaptive MFA

Descope allows you to support adaptive MFA within your workflow. Adaptive MFA is a security mechanism that dynamically adjusts the authentication requirements based on various risk factors during a login attempt. Unlike traditional MFA, which consistently applies the same authentication steps (like a password and a secondary factor such as an OTP code), adaptive MFA assesses contextual information.

This guide covers how to implement adaptive MFA within your Descope flows.

Note

There are also prebuilt adaptive MFA example flows within the Descope Library, which you can explore.

Implementation

Adaptive MFA can be based on many different criteria, such as trusted device, impossible traveler, bad IP reputation, risk calculations, etc. This adaptability ensures that the MFA system can respond to a wide range of security threats, making it a robust and effective solution. Below are some examples of dynamic MFA with each of these items, as well as a combined version including multiple MFA triggers.

Note

These examples start with OTP via email and then progress to MFA; however, you can begin with other authentication methods such as SSO, Magic Link, etc. These flows also utilize OTP via SMS as the MFA method; however, you could swap these authentication actions for other MFA methods such as Authenticator Apps (TOTP), Biometrics (Passkeys), etc. The image below shows the start of the flow we'll add to within these examples.

Basic start to an adaptive MFA flow within Descope

Trusted device

A trusted device in authentication allows users to bypass additional security checks (like MFA) on pre-approved devices. These devices are recognized by unique identifiers or behavioral patterns and marked as safe for future logins. Trusted devices improve security and convenience by adding an extra layer of assurance while reducing user friction.

To implement trusted device within Descope flows for adaptive MFA, you will prompt the user whether they'd like to trust (remember) the device and then utilize the Mark Device as trusted action.

Add a prompt screen and mark device as trusted action within a Descope flow to enable adaptive MFA for trusted device

Then, on subsequent logins, you can check if the device is trusted by adding a condition to check if the device is trusted, and trigger MFA if the device is not trusted.

Add a condition to check if a device is trusted within a Descope flow to enable adaptive MFA for trusted device

Impossible Traveler

The impossible traveler scenario in authentication occurs when a user attempts to log in from two geographically distant locations in a short time, making it physically impossible for the person to travel between them. Descope allows you to check for this anomaly and handle user authentication differently: block or trigger MFA to verify the user.

To implement impossible traveler within Descope flows, you will utilize a condition to check for the impossible traveler scenario and then trigger MFA in the event of an impossible traveler scenario.

Add a condition to check for impossible traveler within a Descope flow to enable adaptive MFA

Completed impossible traveler Descope flow to enable adaptive MFA

IP reputation

IP reputation is calculated based on known malicious activity, frequency of suspicious requests, and involvement in botnets or attacks. If an IP has a poor reputation, Descope allows you to configure adaptive MFA to trigger Multi-Factor Authentication (MFA) to add an extra layer of security before allowing access from that IP.

Note

This use case depends on an IP reputation connector such as Abuse IPDB.

Once you have configured an IP risk calculation connector such as Abuse IPDB, add the action to the flow by clicking the blue + in the top left corner, navigate to connectors, then search for the connector action and add it to the flow in the correct location.

Completed risky IP reputation Descope flow to enable adaptive MFA

The condition for the use case of checking IP reputation within this flow would look like the below.

Add a condition to check for risky IP reputation within a Descope flow to enable adaptive MFA

Combined Use case

You may want a combined use case that utilizes multiple tiers of risk analysis within your Descope flow. Below, you can see a combined flow that implements the detailed adaptive MFA use cases above (Trusted Device, Impossible Traveler, and IP Reputation) into a single flow.

An example of an adaptive MFA flow within Descope which implements IP Reputation, trusted device, and impossible traveler

Other Risk Calculations

For further adaptive MFA configurations, you can add more risk-based conditions to your flow. Examples of this could be using riskInfo.botDetected or the Descope calculated riskInfo.riskScore.

Other Risk Connectors

Descope offers more risk analysis connectors like Forter, Telesign, reCAPTCHA v3, reCAPTCHA Enterprise, and more that can also be utilized when calculating whether to trigger MFA when working with adaptive MFA. The use case would be similar to the implementation of IP Reputation with AbuseIPDB above. You can find documentation for these risk analysis connectors within our connectors documentation.

Was this helpful?

On this page