Authr
← The Journal
Product·Apr 15, 2025·5 min

Adaptive MFA: risk signals without the false positives

SC
Sarah Chen
Head of Product

A security lead at Bluepeak told me the exact moment she lost faith in her previous MFA vendor. Their claims platform challenged an adjuster for a second factor eleven times in one day, every one triggered by the same office IP range that thousands of colleagues used without incident. By day three, adjusters were approving prompts without reading them. The control designed to stop attackers had trained 4,000 employees to click yes.

That story is the whole thesis of Adaptive MFA in one anecdote: a false positive is not an inconvenience, it is a security vulnerability with a delay timer. Today we are shipping the largest upgrade to our risk engine since launch, and the headline is not a new signal. It is precision.

What actually changed

  • Per-organization baselines: risk is scored against how your workforce actually behaves, not a global average. A hospital's night shift is not anomalous at a hospital.
  • Signal corroboration: no single weak signal triggers a challenge anymore. Impossible travel plus a new device asks for step-up; impossible travel alone, on a corporate VPN egress we have seen 10,000 times, does not.
  • Explained decisions: every challenge writes a human-readable reason into Audit Fabric, so your SOC can audit the engine instead of trusting it.
  • Passkey-first step-up: when we do challenge, the default is a passkey ceremony, not a push notification that can be fatigued.

The numbers from early access

Twelve customers ran the new engine in shadow mode alongside the old one for a full quarter, including Bluepeak and Northcell. Across roughly 40 million logins, challenge volume dropped 73 percent while detection of red-team credential replay improved from 88 to 96 percent. Northcell, with 112,000 directory users, went from 9,100 step-up challenges a day to just over 2,300, and their helpdesk tickets tagged MFA fell by more than half within six weeks.

The best part is what did not happen. Our red team ran the same playbook against the new engine and got caught earlier, with a third as many prompts hitting real employees.
Head of Identity Security, Northcell

Challenge people less, attackers more

There is a lazy equilibrium in enterprise MFA where vendors treat prompt volume as evidence of vigilance. We think the opposite. Every unnecessary challenge spends a finite resource, your employees' attention, and attackers are the ones who cash in the overdraft. The new engine is rolling out to all Adaptive MFA customers over the next eight weeks, on by default in shadow mode first so your team can compare decisions before enforcement flips. If you want to see your own numbers instead of ours, that is exactly what a demo is for.

SC
Sarah Chen
Head of Product, Authr

Writing from inside the identity layer since 2025. For the conversation this post starts, bring it to your next architecture review — or to ours.

More Product

Your security review will ask about identity. Have the good answer.

Talk to an identity architect about your stack, your compliance surface, and your migration path. Technical from the first call.

Enterprise only · No self-serve tier · Typical procurement to production: 6 weeks