Conditional Authentication! What and Why

When you read the term “Conditional Authentication” the first thing that comes to your mind is what is “Conditional Authentication”?

Conditional authentication is a type of multi-factor authentication that can change or “adopt” the authentication flow or steps according to the user’s risk profile or the situation.

Still confusing? Let’s take a few examples.

1. There is a banking application. Viewing the balance in your bank account is relatively less risky, right? So its enough to authenticate with just username and password. But if you want to make a transaction, it's relatively high risk. So you have to authenticate with your username and password and then maybe with SMS One-Time-Password (OTP).
2. There is a user management system in your company. All the users can login to the system and manage their profile and change their password. But if you are an admin user in the system, you can add users, delete users, reset passwords of other users and do all the risky tasks in the system. While all the users can login to the system with just username and password, if you are an admin user, you have to enter your “Time-based One Time Password” (TOTP).
3. There is a financial management application in your company. You are a financial officer in the company and while working in the office, you have to login to the application always. If you are working from the office, it is sufficient for you to enter the username and password only to login to the application. But if you are trying to login to the application from outside of the office network, you have to enter One-Time-Password sent to you over the email.

We can demonstrate a simple scenario with below flow chart.

Now you can ask, why do we need conditional authentication? We can just have the additional authentication steps statically configured for all the users and all the operations. Well, mostly its related to user experience. Let’s take the above examples again.

1. When checking the account balance from a banking application, if you always have to enter your SMS OTP, you would be frustrated over time, right?
2. When you need to update the profile picture, if you have to enter a TOTP, you would be frustrated, right?
3. If you work in the office and you need to authenticate with two steps always, you would be frustrated over time, right?

So we can summarize the idea of conditional authentication like below.

Conditional authentication is a type of multi-factor authentication that can change or “adopt” the authentication flow or steps according to user’s risk profile or the situation without compromising user experience.