Add some content on adaptive auth

[tghosth]

This originally came from a @jmanico comment here: OWASP/ASVS#3071 (comment)

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as [TEXT](URL)
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

[mackowski]

Looks good! Do we want to link back to ASVS here?

[tghosth]

Looks good! Do we want to link back to ASVS here?

@jmanico what do you think?

[jmanico]

Absolutely, if you both like it go for it :)

[kwwall]

I think this looks like a great start. I will toss out a few additional things that you may wish to consider mentioning:

1. Whatever adaptive authN that an application chooses, it should be in line with any corporate policies and especially any regulatory policy.
2. Sometimes, rather than starting out with MFA (which can be tedious) you might allow low risk access with just things that identify the device (e.g., a specific mobile device fingerprint, a persist cookie and browser fingerprint, etc. from the previous IP address). An example might be to allow someone to trigger something to see their current bank balance, but not the account # or anything else. If they need to see transactions, then you make them do some base level authN and if they want to do any money movement, you require MFA.
3. Some of the checks act as red flags. For instance, if you do IP-based geolocation checks every T minutes and find that during those 2 snapshots there are further apart than reasonable, you might send the user an email about the suspicious activity and log out both instances, or you instantly force both sessions to re-authenticate with some stronger adaptive authentication.
4. In lieu of making users re-authenticate, sometimes they will instead require you to answer the KYC (Know Your Customer) type of questions. (Personally, I'd prefer to just re-login, but that's just me.)

[jmanico]

This is outstanding feedback Kevin 🤙🏽

[tghosth]

I made some changes based on that feedback, I am a little wary of knowledge based questions as I know we prefer to avoid them.

[kwwall]

Found 1 minor typo, otherwise, LGTM. I understand your reluctance of KYC (Know Your Customer), I've never much cared for it either, but it is widely used in financial circles. And according to this blog post, there may even be a regulatory compliance basis to it as well.

[tghosth]

Ok, please can this be merged then?