# Adaptive authentication
**Adaptive authentication** lets OpenIAM change the sign-in flow based on context. Instead of using only a fixed method such as password, OTP, or certificate, you can evaluate signals like IP address, role, or device status during authentication.
Use adaptive authentication when you need to require an extra step, allow access only under specific conditions, or block a login attempt.
### Authentication rules
Authentication rules define the sequence of steps that OpenIAM uses during sign-in. A rule can contain one authentication method, several methods in order, a choice between methods, or adaptive conditions that change the flow.
### Configure authentication rules
{% stepper %}
{% step %}
### Open authentication rules
In the **Webconsole**, go to **Policy → Authentication Rule**.
The default list includes rules for the standard authentication types.
{% endstep %}
{% step %}
### Create a one-step authentication rule
Use a one-step rule when you want a single authentication method.
Drag a step type from **Step types** into **Authentication rule steps**. Then connect the step in the rule designer.
{% endstep %}
{% step %}
### Create a multi-step authentication rule
Use a multi-step rule when users must complete more than one authentication method.
Drag the required step types into **Authentication rule steps**. Arrange them in the required order. Then connect the steps to define the sequence.
{% endstep %}
{% step %}
### Let users choose from multiple authentication methods
If you support several authentication methods, you can let the user choose one from an allowed list.
Use the rule type shown below to branch to multiple supported methods.
In this example, after a successful password login, the user is redirected to a selection page with the available authentication methods.
{% endstep %}
{% step %}
### Add adaptive authentication conditions
Use adaptive risks when the flow should change based on context. For example, you may want to require an extra step for a new device or allow access only for a specific role.
Drag the required adaptive risk from **Drag required adaptive risk** into the rule designer.
The example below adds an extra authentication step when the user signs in from a new device.
The next example allows access only for a selected role.
{% endstep %}
{% endstepper %}
Each adaptive risk returns either `true` or `false`. Use that result to decide the next step in the flow, require additional authentication, or deny access.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs-beta.openiam.com/configuring-multi-factor-authentication/adaptive-authentication.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.