Discover the best risk-based adaptive authentication solutions with single sign-on (SSO) capabilities. See features such as conditional access methods, and offline multi-factor authentication (MFA).
Adaptive authentication features
Feature descriptions:
- Conditional access dynamically enforces authentication policies based on user context (e.g., device type, IP address, geolocation, or access time). This feature ensures adaptive risk-based security, where users are granted or denied access depending on their risk profile at the login time.
- Offline MFA (multi-factor authentication) in risk-based authentication software enhances security by enabling offline logons while dynamically adjusting authentication requirements based on user behavior and context.
Administrative features
*If OneLogin is configured to execute single sign-on (SSO) for Azure AD you can still use conditional access for Microsoft 365/Azure authentication.
Feature descriptions:
- Multi-tenancy architecture enables organizations to manage multiple tenants (departments, or client accounts) within a single software instance. It is particularly valuable for enterprises or managed service providers (MSPs) who maintain distinct policies.
- A real-time password synchronizer ensures that password changes are immediately reflected across connected systems and applications. Thus, users only need to remember one updated password across platforms (e.g., LDAP, AD, or cloud directories).
Software category & average rating
All software support basic identity access management (IAM) features such as single sign-on (SSO), identity verification,n and self-service password reset/change, and account unlocking.
How to select the right RBA software?
RBA solutions focused on IAM functions serve different use cases compared to those prioritizing fraud prevention. Buyers should evaluate each software based on their specific security needs, for example:
- Identity access management (IAM) use case:
- If you are a mid-size or large-scale organization with detailed conditional access policies based on the user’s device and location, the IP address you should look into solutions like ManageEngine ADSelfService Plus.
- Cisco Duo can be a more suitable solution if you are looking for an SSO platform with strong automation capabilities or if you need to create custom APIs for your application stack.
- Moreover, if your environment contains separated cloud environments, you should choose IBM Verify for large-scale cloud access management.
- Fraud detection use case: If fraud prevention is your priority, especially for payment systems or e-commerce, you should consider selecting Sift or Kount. Note that, these software lack identity and access management (IAM) features such as passkeys support (FIDO2 / WebAuthN), OAuth/OpenID, and LDAP support that organizations with broader security needs might require.
Disclaimer: Review insights (below) come from our experience with these solutions as well as other users’ experiences shared in Reddit, Gartner, and G2, and Gartner.
Top 10 RBA software reviewed
Risk-based Authentication (RBA) software dynamically assesses each login attempt and adjusts authorization criteria based on user behavior, geographic location, device type, IP address, and access time. This minimizes the probability of unauthorized access and fraud. Based on software focus areas, features, and user experiences shared in review platforms, here are the top 10 RBA solutions:
ManageEngine ADSelfService Plus
ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) solution with risk-based multi-factor authentication (MFA) capabilities.
Its adaptive authentication flow and MFA capabilities, also known as risk-based MFA, provide users with authentication factors that change each time they log in. These factors include:
- The number of consecutive logon failures.
- The user who has requested access’s physical location (geolocation).
- The type of device.
- The day of the week and time of day.
- IP address.
For example, if a user attempts to log in to their work laptop during unusual hours, ADSelfService Plus can detect the anomaly through conditional access policies and increase the authentication requirements. The user can be prompted to verify their identity through additional multi-factor authentication (MFA).
Pricing: ADSelfService Plus is available in three editions: the free plan (for 50 users), the standard plan, and the professional plan. The Starter plan (for 100 users) costs between $245 and $5,920 and includes features such as web-based self-service password reset and a password expiry notifier.
For more details check MFA pricing and, top 10 open-source MFA tools.
Why we like it:
- Extensive multi-factor authentication (MFA) options:
- ADSelfService Plus supports several MFA methods, including Microsoft Authenticator and YubiKey, for securing desktops, servers, remote desktop protocol (RDP) sessions, and enterprise applications.
- Offers online MFA (verifies via server communication) and offline MFA (uses stored authenticator data for local logins).
- Security against cyberattacks: ADSelfService Plus provides built-in protection against brute-force attacks using CAPTCHA and account lockout after failed authentication attempts.
What needs improvement:
- SMS verification vulnerabilities: The verification techniques offered by ADSelfService Plus have some vulnerabilities. For example, SMS-based verification is vulnerable to SIM swap attacks, where an attacker fraudulently gains control of a user’s mobile number. Once successful, the attacker can receive SMS-based OTPs.
- Feature gaps in scalability: While the ADSelfService Plus performs well for smaller environments, some features, such as custom SAML configurations require heavy customization in large-scale implementations.
Cisco Duo
When Duo detects a high-risk authentication attempt from a user for an application, it restricts the available authentication methods to those that best mitigate the risk. The user will only be able to authenticate by choosing one of these secure methods to validate their identity.
Authentication factors accepted in higher-risk authentications:
- Verified Duo Push – A six-digit code that the user needs to enter from the authentication prompt on their mobile device.
- Platform authenticators – WebAuthn FIDO2 security keys that require biometric or PIN verification, or biometric sensors such as Touch ID.
- Bypass codes – provided to users by a Duo administrator.
- YubiKey passcodes
These authentication methods such as Duo Push without a verification code, Duo Mobile passcodes, SMS passcodes, and phone callbacks will be restricted for use in a higher-risk scenario.
Why we like it:
- Risk detection: Cisco Duo uses a combination of IP history, Wi-Fi fingerprints, and contextual data to detect risks, this minimizes unnecessary MFA prompts.
- Admin tools: Features like risk preview mode, and risk-based policy assessments provide security teams with granular control and actionable data.
What needs improvement:
- Limited support for non-browser apps: Risk-based remembered devices work only with browser-based integrations. Cisco could provide broader coverage for non-browser apps.
- Dependency on Duo Desktop for Wi-Fi fingerprints: While Wi-Fi fingerprinting is helpful, it requires Duo Desktop installation on Windows and macOS devices, which adds deployment overhead.
OneLogin
One Login is an SSO and identity product. It supports cross-domain identity management (SCIM) for application provisioning. With robust integration capabilities with Active Directory, it is an ideal choice if AD serves as your primary source of truth for managing user identities and access.
Why we like it:
- Form-based authentication with HTML: Unlike many competitors, OneLogin supports form-based authentication. This allows the developers to use an HTML form to obtain credentials from users who are attempting to access secured web pages.
- Strong conditional access policies: OneLogin allows organizations to define granular access controls based on factors such as user role, location, device, and time of access.
What needs improvement:
- Outage issues: There have been DNS-related outages while using OneLogin.
- Limited on-prem MFA support: While OneLogin has extensive support for cloud environments, its capabilities for managing MFA on privileged local domain accounts are limited.
Thales SafeNet Trusted Access
SafeNet Trusted Access is an access management and authentication service. The software offers versatile interface options. SafeNet Trusted Access provides three distinct interfaces: the Platform Admin, the User Manager, and the Self-Service Portal.
- The Platform Admin interface – offers controls, such as IP filtering and policy management, giving administrators granular control over security settings.
- The User Manager interface – is designed for creating and managing users and tokens.
- The Self-Service Portal – enables users to handle basic tasks on their own, such as resetting their PINs.
Why we like it:
- Behavioral biometrics: Unlike some of its competitors, Thales leverages threat detection techniques, including behavioral biometrics, ensuring strong protection against fraudulent behavior.
- User-based licensing model: Thales allows a single-user license to support multiple tokens. This means users can utilize physical tokens, mobile apps, or other methods without requiring separate licenses for each.
What needs improvement:
- Outdated documentation: Some integration guides and field names are not up-to-date.
- Integrations: Integration with Microsoft Authenticator as a token could be added.
Sift
Sift stands out from traditional identity and access management (IAM) tools by focusing on fraud prevention rather than user authentication and access control. Its key features include workflow automation, and decision-making models for blocking and declining/accepting transactions, across payment platforms.
Sift is widely used by e-commerce platforms, marketplaces, and payment service providers needing to detect anomalies across large volumes of transactions.
Why we like it:
- Effective fraud detection: Sift is a strong tool for identifying fraudulent transactions, accounts, and patterns. It scores (low, medium, high risk) associated with accounts, device IDs, IP addresses, payment methods, etc.
- Ease of use and Integration: Sift provides an intuitive interface for non-experts in fraud detection. Also, it supports seamless integration with other tools and CRMs.
What needs improvement:
- False positives: Sift flags instances inaccurately. For example, instances, where accounts flagged as “low risk” by Sift, appeared suspicious upon manual review.
- Risk-score transparency: The scoring logic is unclear, with occasional mismatches between the score and actual risk levels.
Kount
Kount is a financial fraud detection solution that enables businesses to reduce chargebacks, prevent account takeovers, and detect anomalies. It allows staff members to detect, segment, brute force, account testing, ad fraud, and other potentially malicious bots.
Kount allows IT teams to approve interactions, configure step-up authentication, and adjust risk policies. The command center enables staff to conduct investigations, track performance, manage cases, and set risk thresholds.
With Kount users can view customer information such as locations, billing addresses, payment methods, and loyalty numbers. Supervisors can also create custom reports to gain insight into decline rates, IP locations, and order details.
Why we like it:
- Reporting: Detailed reporting and dashboards are easy to generate and share with stakeholders. The system provides detailed regulatory reporting, including anti-money laundering (AML) and know-your-customer (KYC).
- Enhanced customer insights: Offers detailed customer data, including locations, billing addresses, payment methods, and loyalty numbers, for more accurate risk assessment.
What needs improvement:
- Risk-based scoring: The scoring system and terminology are inconsistent or confusing. Results can contain contradictory details (e.g., mismatches between personal ratings and safety scores).
- Performance: Occasional delays in loading data, particularly with Data Mart.
- Ease-of-use: Transitioning to Data on Demand may require additional BI expertise, which could be challenging for smaller businesses.
WSO2 Identity Server
WSO2 Identity Server is a customer identity and access management (CIAM) platform. It offers capabilities that can be easily integrated into your company’s customer experience (CX) or identity and access management (IAM) applications. WSO2 Identity Server is best for organizations that require an open, API-driven architecture and developer tools.
Why we like it:
- Developer-friendly IAM solution: Offers a wide range of developer tools, SDKs, and detailed documentation, making it ideal for teams building custom IAM implementations.
- Open source: WSO2 Identity Server is a free, open-source solution. It also offers enterprise-level features with licensing costs.
- Extensive protocol support: The solution supports SSO, SAML, OAuth, OpenID Connect, adaptive authentication, and multi-factor authentication.
What needs improvement:
- Integration issues: WSO2 Identity Server’s heavy reliance on SOAP APIs creates integration challenges. This dependency limits users’ ability to leverage certain functionalities that are more accessible and flexible with REST APIs.
IBM Verify
IBM Verify is the ideal solution for organizations transitioning to cloud IAM and requiring enterprise-level deployments. It is highly suitable for standard enterprise use cases with strong out-of-the-box integrations, particularly for user management and provisioning.
The solution offers multi-factor authentication (MFA) through push notifications, QR codes, and mobile app authentication. It also includes consent management templates to help users comply with data privacy regulations such as GDPR.
Why we like it:
- Extensive cloud coverage: IBM Verify unifies identity management for SaaS platforms like Salesforce, Office 365, and Slack, and integrates seamlessly with popular cloud platforms such as AWS, Azure, and Google Cloud. By implementing IBM Verify, enterprises can enable single sign-on (SSO) and risk-based MFA across cloud and on-premises applications at scale.
- Ease of integration: Seamless integrates with HR tools and applications using custom SAML and OAuth. This helps to streamline the authentication process of new users.
What needs improvement:
- Resource-intensive: Setup and customization require significant time and effort for larger organizations.
- MFA coverage: The solution could include additional MFA methods, such as SMS verification.
Ping Identity PingOne Risk Management
Ping Identity PingOne Risk Management is an IAM solution that provides single sign-on (SSO), and multi-factor authentication (MFA). Ping offers strong support for legacy systems. It is ideal for enterprise-level deployments. Smaller businesses might find the platform over-engineered for their needs.
Why we like it:
- Customization: Ping offers greater customization for enterprises with complex IAM needs compared to solutions with out-of-the-box integrations.
- Zero trust support: Ping Identity has strong support for zero trust security models, particularly when dealing with sensitive or regulated data. As part of a Zero Trust approach, Ping Identity effectively integrates with device management tools to perform checks on device health (e.g., whether the device has up-to-date security patches or encryption) before allowing access.
What needs improvement:
- Requires skilled implementation: Ping has deep customization options, thus companies may require specialized resources or consultants to implement the solution.
- Lack of out-of-the-box integrations: Ping requires custom work to integrate with non-standard applications.
Okta
Okta, best known for its cloud-native IAM solutions, prioritizes rapid and efficient cloud deployment. It is a popular choice among tech companies and startups due to its cloud-native approach and extensive integrations.
Its adaptive multi-factor authentication (MFA) enables a more dynamic, context-based method, considering user behavior, device status, and location compared to traditional MFA solutions.
In addition to its competitors, Okta offers threat detection capabilities through its ‘ThreatInsight’ feature. This feature aggregates data on sign-in activity across Okta’s customer base, allowing it to analyze and identify potentially malicious IP addresses. By leveraging this collective data, Okta can proactively prevent common credential-based attacks, such as:
- password spraying
- credential stuffing
- brute-force cryptographic attacks
Why we like it:
- Threat detection for enhanced security: Automatically denies access to sign-in requests that come from potentially malicious IP addresses.
- Extensive integrations: Okta stands out with over 6,500 pre-built integrations across cloud, on-premises, and mobile applications—far surpassing its competitors, who typically offer more basic integrations such as Active Directory, LDAP, and a limited range of SAML and OAuth providers.
What needs improvement:
- Configurations: Overly restrictive configurations.
- Performance: Slow load times, leading to delays.
- Password controls: Password management policies that are not user-friendly, with frequent mandatory resets and restrictions on reusing previous passwords.
What is risk-based authentication (RBA) software?
To be eligible for inclusion in the risk-based authentication category, a software needs to:
- Evaluate a user’s unique network, device, and behavior to identify risk.
- Implement prompt authentication mechanisms following evaluation, including SMS, questioning, and email confirmation.
- Regularly store and update suspicious networks, devices, and behaviors.
Note that risk-based authentication software frequently features multi-factor authentication. RBA software also commonly integrates with cloud identity and access management systems; however, it generally only offers authentication, not application access or governance.
How does risk-based authentication (RBA) work?
Risk-based authentication (RBA) enhances security by analyzing the context of each login attempt to assess potential risks. It evaluates factors such as location, device type, IP address, login time, and behavioral patterns to determine whether an authentication request is legitimate.
- If the system detects a low-risk login attempt—such as a user signing in from their usual device and location—access is granted without requiring additional authentication.
- If the attempt appears suspicious or high-risk—such as logging in from an unfamiliar device or an unusual location—step-up authentication is triggered. This requires the user to verify their identity through an additional security layer before access is approved.
For instance, a user logging in with a username and password may be prompted to enter a one-time passcode (OTP) from their authenticator app. To access the OTP, they must first unlock their smartphone using a PIN or fingerprint scan, adding another layer of security.