Continuous authentication is a method of verification aimed at providing identity confirmation and cybersecurity protection on an ongoing basis. By constantly measuring the probability that individual users are who they claim to be, continuous authentication validates the user not just once but nonstop throughout an entire session. Focused on furnishing smart, secure identity verification without interrupting the workflow, continuous authentication is implemented using machine learning (ML) and a variety of factors including behavioral patterns and biometrics.
Although continuous authentication is relatively new, this type of verification is gaining attention as companies seek new ways to prevent unauthorized access to critical business data. Traditional forms of verification such as single-factor authentication (SFA), which provides protection at login, and two-factor authentication (2FA), which adds a second layer of security at login, do not offer continuous validation of a user’s identification. The need for new identity and access management (IAM) strategies such as continuous authentication is growing as a result of the rapid pace of digital advancements and escalating cybercrime.
How does continuous authentication work?
An IAM solution with continuous authentication functionality constantly collects information about a user’s actions and patterns of regular behavior and learns to distinguish between normal and abnormal behavior of a user based on the collected data. Based on analysis of user behavior, access to a system can be granted or additional user identity verification can be requested.
Variances and inconsistencies in behavior and user interaction with a system can be measured or a user’s physiological characteristics can be identified continuously during the session. Additionally, if a user behaves badly or is compromised, then access can be revoked and application sessions end immediately. Possible methods of spotting changes include using keystrokes, video, fingerprints, touch (the amount of finger pressure applied) or facial features like eye position, pupil size and how often someone blinks.
An application with continuous authentication functionality can continually compute an “authentication score” to determine how certain it is that the account owner is also the one using the device. Depending on the score, the user might be prompted to input additional information such as a password, card or fingerprint.
Types of authentication methods
A variety of technologies exist to support continuous authentication:
- Physical movement- Sensors can be employed for tracking a user’s unique way of moving. For example, how a user walks when holding a phone or specific hand positioning and movements when carrying or using a device
- Facial recognition- Facial identification is often used for authentication purposes (such as accessing a mobile phone) but can also be applied to authenticate users continuously.
- Behavioral and physiological biometrics- User behavior patterns such as interactive gestures, how a user types or taps, finger pressure, how long a user holds a key on a keyboard or how they swipe or use a mouse can be monitored continuously. Variances from the norm can then be highlighted or flagged.
- Voice authentication- Patterns in voice (i.e. noting changes in pitch and frequency) can be tracked for continuous authentication. Out-of-the-ordinary qualities can be observed by constantly monitoring input speech against a control conversation used as a reference.
Benefits and drawbacks of continuous authentication
Using behavioral biometrics (or the combination of behavior and physiology unique to each individual) helps stop imposters, bots and fraudsters with criminal intent. The objective is to improve security without negatively affecting user experience. Without continuous authentication, organizations would be more vulnerable to many attack vectors and cybersecurity threats. For example, a system can be taken over when a user stops using it but the session is still open. Other possible threats include credential stuffing and phishing.
Today, continuous authentication capabilities can be integrated directly into an application, but standards to accomplish this across multiple apps are not yet available. Additionally, although modern technology makes continuous authentication more palatable than in the past, user acceptance could remain an issue. Continuous authentication may be a step too far for some who see it as invasive as people may not be comfortable being passively monitored and watched. Similarly, potential privacy and compliance problems could arise. Balancing privacy concerns and security benefits is key to the acceptance of continuous authentication.