Passkeys
Multi-factor authentication
Adaptive MFA
Implementation
Risk based authentication

How to implement adaptive MFA with passkeys for smarter, risk-based authentication

In our previous blog, we explored how you can use passkeys for step-up authentication, providing biometric verification for high-value transactions. Today, we're taking that concept further by diving into adaptive MFA, where security decisions are made intelligently based on real-time risk assessment rather than fixed rules.

Imagine you're using your banking app at home, transferring $500 to pay rent. The transaction goes through seamlessly. Later, you're on vacation connecting through a public WiFi to send $100 to a friend, and suddenly you're prompted for additional verification. That's adaptive MFA in action.

Unlike traditional step-up authentication that only looks at transaction amounts, adaptive MFA considers multiple risk factors: Are you connecting from an anonymous IP? Are you in an unusual location? Is this transaction pattern normal for you? A $10,000 transfer from your home IP might be perfectly safe, while a $50 transfer from an anonymous VPN could signal account compromise.

What we're building

We’ll build a smart money transfer app that adapts its security based on real-time risk assessment. Here's how our adaptive MFA in the app works:

Anonymous/risky IPs: Always require passkey verification for connections from VPNs, Tor, or suspicious IP rangesTrusted IPs + high value: Require verification for transactions over $2,000 from known good IPsTrusted IPs + low value: Allow transactions to proceed seamlessly

This way, your regular IP addresses will become trusted over time, while suspicious network activity gets flagged immediately.

Architecture overview

The system has four key components:

IP Risk Assessment: Authsignal automatically identifies anonymous IPs, VPNs, Tor networks, and suspicious IP ranges.

Risk Assessment: Every transaction is evaluated against configurable rules that consider IP reputation, transaction amount, and other risk factors.

Adaptive Challenge: When risk is detected, users get a passkey prompt. Low-risk transactions flow through without friction.

Continuous Learning: The system learns IP patterns over time, reducing false positives while maintaining security.

Set up rules in Authsignal

Before we dive into the code, we need to configure our adaptive MFA rules in the Authsignal Portal.

Create the action: Navigate to the Actions section in your Authsignal dashboard and create a new action called adaptive-mfa-transfer.

Create and configure rules: Head to the Rules tab and set up your risk-based conditions. Set the outcome to "Challenge" and add these conditions. Don’t forget to set the rule outcome to ‘Challenge’.

  • IP is anonymous = True → Challenge
  • transactionValue > 2000 → Challenge

This means users will be prompted for verification when connecting from anonymous IPs or when making high-value transfers from trusted networks.

Implementation

Now, let's build the app:

Install packages:

Grab your Authsignal credentials:

Passkey enrollment

Before adaptive MFA can work, users need passkeys enrolled.

Backend enrollment endpoint:

Frontend enrollment flow:

Adaptive MFA Implementation

Transaction verification:

Challenge the user

Different adaptive MFA scenarios

Scenario 1: Anonymous IP, any amount ($100)

  1. User connects via VPN and enters transfer details
  2. Authsignal detects anonymous/VPN IP address
  3. IP is anonymous = True rule triggers
  4. User prompted for passkey verification
  5. After successful verification, transaction proceeds

Scenario 2: Trusted IP, high amount ($3,000)

  1. User enters large transfer from home IP
  2. Authsignal recognizes trusted IP but sees high amount
  3. transactionValue > 2000 rule triggers
  4. User prompted for passkey verification
  5. Transfer proceeds after verification

Scenario 3: Trusted IP, normal amount ($500)

  1. User enters regular transfer from home/office IP
  2. Authsignal recognizes trusted IP and sees normal amount
  3. No rules trigger
  4. Transfer proceeds immediately

Scenario 4: Tor network, any amount

  1. User connects through Tor browser
  2. Authsignal detects Tor exit node IP
  3. IP is anonymous = True rule triggers
  4. Verification required regardless of amount

Extensions and customization

You can enhance adaptive MFA with additional risk signals:

Geographic risk: New countries or impossible travel detection

Network analysis: VPN detection and IP reputation scoring

Velocity checks: Rapid successive transactions from different devices

Business context: Different thresholds for different user types or account balances

Wrapping up

That's it! We've built a smart money transfer app with adaptive MFA that responds intelligently to risk. A $10,000 transfer from your home IP is fundamentally different from a $100 transfer from an anonymous VPN. Adaptive MFA recognizes these differences and responds appropriately.

Check out the Authsignal adaptive MFA docs to start implementing it in your app!

Have a question?
Talk to an expert
No items found.

You might also like

Passkeys
WebAuthn
Phishing resistant
FIDO2
Relying party ID

Understanding Relying Parties for Passkeys: A Guide on what, why, and how to use them.

July 3, 2024
UX Guidelines
Passkeys
Implementation

UX Best Practices for Passkeys: Understanding Device-Initiated Authentication

December 18, 2024
UI Components
React
Passkeys

Passwordless React UI Components: Add Passkeys to Your Client-Side App

October 23, 2024