User authentication is an integral part of cybersecurity. The user authentication methods have evolved; from using a complex password to passwordless authentication methods, scores of different techniques have been introduced. But, it looks like even the most stringent security measures may not always be effective.
Kevin Mitnick, once known as the FBI’s most wanted hacker who now helps companies defend themselves. In an interview with CNBC, he said: “Just by enabling two-factor authentication, you can’t relax…a smart attacker could get access to your account.” “If we can steal the user session cookie, we could become them, and we don’t need their username, their password, or their two-factor.”
We have moved from one-time authentication to multi-factor authentication to make sure that we are on the secure side of the connection. However, technology and cybercrimes are growing too. According to CNN Money, one in two Americans become a victim of identity fraud every two seconds!
Therefore, authenticating identities via 2FA, MFA, or any other method just once is not enough; authentication must now be a continuous process.
What is Continuous Authentication?
Let’s give you an example-
You need to access a business application on your computer, you authenticate your identity via MFA and gain access, and you are confident that your access is secure. Now, you move away from your work desk for a while. Chances are, your session is taken over by a hacker or a computer virus leaving the system vulnerable to hacks, phishing, and credential stuffing.
Therefore, Continuous Authentication takes place after the session has begun as an on-going process. It is a mechanism that constantly checks on the attributes that change and keeps validating the identity continuously throughout the session and not just at the log-in point.
Considering the example given above, say, if someone does take over your session, unique user attributes like how you type, the way you hold the mouse, the number of pauses you take as you type, etc. are examined. For instance, you take a two-second pause after every sentence you type, and the system recognizes a five-second pause, it will immediately prompt a quick verification of the user.
So, let’s dig deeper and understand…
How does Continuous Authentication work?
Mark Diodati, research vice president at Gartner, said: “The technology works behind the scenes, looking at how users behave: the way they type on the keyboard, how quickly they move between the keys, how long they hold a key, how they swipe on mobile devices, how they move a mouse.”
With authentication, you secure your identity from a ‘hacker’ and with Continuous Authentication, you secure your identity from a ‘session imposter.’
There are multiple ways to support Continuous Authentication-
Physical movement: The sensors track the physical movement of the user; the way a user positions his/her device, the speed at which the user moves the mouse pointer, etc.
Facial recognition: Most devices have this feature for authentication. However, Continuous Authentication follows the way a user glances at his device or the facial expressions he gives while unlocking the device.
Behavioral attributes: Behavioral patterns or gestures such as the typing speed of the user, finger pressure, the way a user moves his mouse, etc. are noted.
Voice recognition: This method of authentication is particularly helpful for banks, call-centers, or services that require the user to interact over a call. Continuous Authentication considers voice pitch, tone, and frequency.
Essentially, Continuous Authentication makes use of the attributes that are unique to the users only. Even if someone steals your password, answer to security questions or your tokens; it is not feasible to steal your unique physical movements, voice, or behavioral patterns. Therefore, this method points to the benefits of Continuous Authentication such as high-level security, restricting sessions imposters, bots and other unauthorized activities.
At a Marco level, this improves a company’s cybersecurity posture. Also, a company with a secure IT infrastructure will be able to adhere to security compliances well. And, a company that is compliant with security standards makes for a good brand.
Choosing Continuous Authentication
The best part of Continuous Authentication is that the user needs to make minimal efforts for authentication. However, not every session requires Continuous Authentication. For instance, if you are reading news feed on your mobile and move away from your device, it is very unlikely that such an open session would be prone to hacks, phishing, or credential stuffing. But, if you are working on a customer database- a document that should be protected, such a session requires Continuous Authentication.
So, opting for Continuous Authentication depends on the importance of your work, and whether your session must be protected, even when you aren’t around.
The future of Continuous Authentication
In December 2018, Gartner pushed the focus on Continuous Authentication for 2019 at their annual conference on Identity and Access Management in Las Vegas. The main topic of discussion was their self-coined term, CARTA — Continuous Adaptive Risk and Trust Assessment. It was discussed that CARTA as a concept should be applied across all levels of security as one of the largest areas of impact is around authentication.
We have got to the point where assuring ourselves that our identities are protected and secure does not suffice; we need constant reassurance about the security of our identities and looks like Continuous Authentication is the way to go.