NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION
IA-10 — Adaptive Authentication
Require individuals accessing the system to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}.
Supplemental Guidance
Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior. Suspicious behavior may include accessing information that individuals do not typically access as part of their duties, roles, or responsibilities; accessing greater quantities of information than individuals would routinely access; or attempting to access information from suspicious network addresses. When pre-established conditions or triggers occur, organizations can require individuals to provide additional authentication information. Another potential use for adaptive authentication is to increase the strength of mechanism based on the number or types of records being accessed. Adaptive authentication does not replace and is not used to avoid the use of multi-factor authentication mechanisms but can augment implementations of multi-factor authentication.
Practitioner Notes
Adaptive authentication means your system adjusts its authentication requirements based on risk — requiring stronger proof of identity in riskier situations.
Example 1: Configure Azure AD Conditional Access with risk-based policies: low-risk sign-ins require MFA, medium-risk sign-ins require password change plus MFA, and high-risk sign-ins are blocked until an admin reviews.
Example 2: Use Azure AD Identity Protection to automatically detect risky sign-ins (impossible travel, anonymous IP, leaked credentials) and step up authentication requirements.