A method, system and computer-usable medium for providing security friction to a request for access to a resource based on whether the access request is atypical. In certain embodiments, a request to access the resource based on a user identity is received electronically. The system determines whether the request is typical or atypical. If the request is typical, access to the requested resource is granted. However, if the request is atypical, access to the requested resource is only allowed if the correct information is provided in response to one or more access control methods that provide an amount of security friction that would otherwise not have been asserted if the resource request was typical. In certain embodiments, an elapsed time between access requests based on the user identity is used to determine whether the access request is atypical.