In our previous blog, we explored how you can use passkeys for step-up authentication, providing biometric verification for high-value transactions. Today, we're taking that concept further by diving into adaptive MFA, where security decisions are made intelligently based on real-time risk assessment rather than fixed rules.
Imagine you're using your banking app at home, transferring $500 to pay rent. The transaction goes through seamlessly. Later, you're on vacation connecting through a public WiFi to send $100 to a friend, and suddenly you're prompted for additional verification. That's adaptive MFA in action.
Unlike traditional step-up authentication that only looks at transaction amounts, adaptive MFA considers multiple risk factors: Are you connecting from an anonymous IP? Are you in an unusual location? Is this transaction pattern normal for you? A $10,000 transfer from your home IP might be perfectly safe, while a $50 transfer from an anonymous VPN could signal account compromise.
What we're building
We’ll build a smart money transfer app that adapts its security based on real-time risk assessment. Here's how our adaptive MFA in the app works:
Anonymous/risky IPs: Always require passkey verification for connections from VPNs, Tor, or suspicious IP rangesTrusted IPs + high value: Require verification for transactions over $2,000 from known good IPsTrusted IPs + low value: Allow transactions to proceed seamlessly
This way, your regular IP addresses will become trusted over time, while suspicious network activity gets flagged immediately.
Architecture overview
The system has four key components:
IP Risk Assessment: Authsignal automatically identifies anonymous IPs, VPNs, Tor networks, and suspicious IP ranges.
Risk Assessment: Every transaction is evaluated against configurable rules that consider IP reputation, transaction amount, and other risk factors.
Adaptive Challenge: When risk is detected, users get a passkey prompt. Low-risk transactions flow through without friction.
Continuous Learning: The system learns IP patterns over time, reducing false positives while maintaining security.
Set up rules in Authsignal
Before we dive into the code, we need to configure our adaptive MFA rules in the Authsignal Portal.
Create the action: Navigate to the Actions section in your Authsignal dashboard and create a new action called adaptive-mfa-transfer.
Create and configure rules: Head to the Rules tab and set up your risk-based conditions. Set the outcome to "Challenge" and add these conditions. Don’t forget to set the rule outcome to ‘Challenge’.
IP is anonymous = True→ ChallengetransactionValue > 2000→ Challenge

This means users will be prompted for verification when connecting from anonymous IPs or when making high-value transfers from trusted networks.
Implementation
Now, let's build the app:
Install packages:
Grab your Authsignal credentials:
Passkey enrollment
Before adaptive MFA can work, users need passkeys enrolled.
Backend enrollment endpoint:
Frontend enrollment flow:
Adaptive MFA Implementation
Transaction verification:
Challenge the user
Different adaptive MFA scenarios
Scenario 1: Anonymous IP, any amount ($100)
- User connects via VPN and enters transfer details
- Authsignal detects anonymous/VPN IP address
IP is anonymous = Truerule triggers- User prompted for passkey verification
- After successful verification, transaction proceeds
Scenario 2: Trusted IP, high amount ($3,000)
- User enters large transfer from home IP
- Authsignal recognizes trusted IP but sees high amount
transactionValue > 2000rule triggers- User prompted for passkey verification
- Transfer proceeds after verification
Scenario 3: Trusted IP, normal amount ($500)
- User enters regular transfer from home/office IP
- Authsignal recognizes trusted IP and sees normal amount
- No rules trigger
- Transfer proceeds immediately
Scenario 4: Tor network, any amount
- User connects through Tor browser
- Authsignal detects Tor exit node IP
IP is anonymous = Truerule triggers- Verification required regardless of amount
Extensions and customization
You can enhance adaptive MFA with additional risk signals:
Geographic risk: New countries or impossible travel detection
Network analysis: VPN detection and IP reputation scoring
Velocity checks: Rapid successive transactions from different devices
Business context: Different thresholds for different user types or account balances
Wrapping up
That's it! We've built a smart money transfer app with adaptive MFA that responds intelligently to risk. A $10,000 transfer from your home IP is fundamentally different from a $100 transfer from an anonymous VPN. Adaptive MFA recognizes these differences and responds appropriately.
Check out the Authsignal adaptive MFA docs to start implementing it in your app!
.png)