Building risk-based authentication: From MFA roll-out to assurance
Rolling out Multi-Factor Authentication (MFA) can feel like the end of the job. You’ve put it in place, users are enrolled, and you can tell the organization that identity security has improved.
But the rollout is only an enabler. It’s not the finish line.
If your MFA solution is built on static rules, you’re frustrating users and making life easier for attackers. That’s why modern identity security must be based on risk-based authentication that recognizes when something looks unusual and responds accordingly.
We’ll show you how.
The essentials of modern multi-factor authentication
In today’s risk environment, multi-factor authentication depends on three essentials:
Context – recognizing when and where risk changes.
Credentials – using phishing-resistant, device-bound methods like FIDO2.
Adoption – ensuring people use what you deploy.
When these elements work together, multi-factor authentication moves from being a control to being a source of assurance in every login.
Let’s look at what that means in practice.
Context: Moving from static rules to dynamic risk
Context determines how effective multi-factor authentication really is. Traditional MFA relies on static rules - the same checks for every login. In contrast, risk-based authentication policies adapt to each situation, making authentication both stronger and less intrusive for legitimate users.
To see how this works in practice, start by looking at the signals behind every login attempt.
Use risk signals instead of adding more steps
Strong identity security isn’t about how many steps a user takes to log in. The goal is to use context in your authentication setup:
- Device health and trust
- Geolocation and time-of-day patterns
- Anomalous behavior or access attempts
- Role or privilege level of the user
That way, you keep friction low when risk is low - and enforce stricter controls when signals indicate higher risk.
For example: Your payroll admin logs in from a trusted laptop during office hours - keep it low friction.
The same account appears from an unmanaged device at 2 a.m. from another country - step up controls or block.
That’s the difference between static rules and risk-based authentication.
Tailor MFA to user roles and risk
Beyond reacting to risk, context should also shape how authentication works across roles and privilege levels.
Rigid, one-size-fits-all MFA policies often backfire. They create friction, exceptions, and shadow IT workarounds. A modern MFA strategy balances security and usability by tailoring methods to the individual user:
• Privileged accounts → always hardware-based, phishing-resistant (FIDO2, YubiKeys, Windows Hello for Business).
• General users → authenticator apps with contextual enforcement.
• All users → policies that adapt dynamically, not statically.
When authentication methods match each user’s level of privilege and risk, security improves and user friction drops, reducing the temptation for workarounds.
Credentials: Strengthen authentication where it matters most
Traditional multi-factor authentication - passwords, one-time codes or authenticator apps - still relies on shared secrets. Attackers don’t have to break these to bypass them.
FIDO2 changes the game by introducing device-bound credentials based on asymmetric cryptography. No more shared information that both the user and the system know.
FIDO2 authentication is:
• Phishing-resistant
• Impossible to guess
• Bound to a specific device and user
• Verified locally
That’s why government entities like CISA now recommend FIDO2 for high-value accounts. Guidance from NIST and the FIDO Alliance underlines this shift toward phishing-resistant and device-bound authentication.
Authenticator apps remain relevant, but they should not be the default for admins or privileged access.
Adoption: Making people use multi-factor authentication
Even the best technology fails if people don’t use it or they make workarounds. Adoption is where many MFA projects succeed or stall.
We’ve seen large organizations succeed not just through technology, but through change management.
Key enablers include:
• Global direction with local anchoring: central governance combined with local champions and super-users.
• Pilots before rollout: testing integrations and user experience in controlled environments.
• Operational readiness: establishing and training a support organization to handle transition.
• Communication and training: clear guides, proactive outreach, and VIP handholding.
• Resilience planning: fallback options to avoid disruptions.
Driving adoption for your MFA program means designing for real behavior and meeting people where they are rather than expecting them to change overnight.
Maturity roadmap: from MFA roll-out to risk-based assurance
Context, credentials and adoption are most effective when developed together as parts of one coherent strategy.
The list below brings those threads together. It’s not a to-do list, but a practical overview of what mature identity security looks like in action — from the first rollout to adaptive, risk-based authentication at scale.
Use the list as a quick reference for sequencing your MFA journey:
1. Deploy MFA globally
2. Segment users by risk profile
3. Mandate FIDO2 for privileged roles
4. Move toward password-less wherever possible
5. Harden policies with Conditional Access, ZTNA (Zero Trust Network Access), device trust and contextual signals
Not all MFA is equal. Legacy MFA creates friction; modern MFA builds assurance.
Three questions to test your MFA maturity
To check your own maturity within multi-factor authentication, ask yourself:
• Can we verify identity without relying on passwords or shared secrets?
• Do our policies adapt dynamically to risk, role and device posture?
• Have we built adoption through training, communication and support - not just rollout?
If you can’t answer “yes” to all three, you still have work to do.
Ultimately, modern MFA isn’t defined by how many factors you have in place - but by how intelligently they work together.
