MFA Was Never Enough

2017 saw the launch of our bottom up redesign of the authentication capability within Access Management. Our previous functionality focused on linear authentication chains.  While this provided considerable power and maturity, we knew many customers wanted more. We started analysing the market, working with key customers and analysts back at the start of 2016.  We went through a root and branch approach and released our intelligent authentication trees feature later in 2017. The premise was simple: MFA was not enough, and we saw a common pattern where customers wanted 8, 10 or 15 different “factors” or signals in their user login journeys. Adaptability and agility were now as important as security.

Security + User Experience = Intelligent Authentication

Intelligent Authentication provides a rich digital canvas, where login workflows can be created and managed intuitively.  A collection of authentication components forms a “tree” with lots of different permutations and “branches,” that dynamically respond to the user and context being processed.

But not all signals or “nodes” are purely related to security. The end user consuming a service or application is a critical stakeholder in how it should be designed and operated. Signup and signin features need to be unnoticeable. To quote Coco Chanel “Dress shabbily and they remember the dress; dress impeccably and they remember the woman.”  Deliver a poor end user login process and you immediately create a barrier to the service or application you are trying to build trust with.

5 Steps to be “Authenti-great”

But what were the problems we were trying to solve?  Every ForgeRock customer uses authentication. Every (Ok, nearly every) web service out there requires authentication of some sort - even anonymous authentication, is not really anonymous.  So what is intelligent authentication fixing?

  • Improved end user choice - as an end user I want much more control over how I am identified - which device I use, which MFA option I want to use and when and so on.  Can that be done dynamically and responsively?

  • Improved device analysis - as a both an end user and security administrator I want to provide flexible login journeys that vary based on the device being used - a mobile login experience should vary to a laptop.  An Android experience may vary compared to iOS with FaceId for example

  • Improved threat detection - both end users and service owners want trust - trust is built on security and a key component is being able to integrate malware and botnet detection systems.  Can this be done as a business as usual configuration exercise? Can actors be identified as human or machine? As trusted or untrusted humans?

  • Improved insight - as login is such a critical component of an app or service, how can user and device insight be used to increase personalisation or create adaptive experiences?  Can you articulate for example how many users in EMEA login via Android or Chrome v66? Or, do abandoned shopping carts correlate to the login process taking more than 2 seconds?

  • Improve agility - whatever biometric or MFA is chosen today, tomorrow something new will come along.  How can CISO’s plan and allow business as usual changes to the authentication landscape?  Tight coupling and binding of authentication modalities is expensive and increases vendor dependencies and rigidity.

A new array of use cases, stakeholders and decision makers are now involved in the login design process.



What Next?

Start to understand not only your authentication requirements today, but roadmap future requirements - not only for both your end user community but your applications too.

The Intelligent Authentication video series will help you to understand how intelligent authentication can accelerate end user integration, improve security posture and allow for a future proofed digital canvas, application and service owners can build upon. Check out our first video below and click here to learn more about Intelligent Authentication.


KuppingerCole Leadership Compass - Adaptive Auth