The most common interaction with an authentication mechanism is when we type in our password to log on to a computer or website. We type in the password once, it is authenticated by the OS, then our session is unlocked.
In some cases, we are required to provide a second authentication factor – a physical device, a one-time-passcode, or biometric sample. The common theme amongst all these authentication solutions is that they authenticate the user only once. After an authentication is successful, there are no more restrictions or checks on accessing the resource to protect against unauthorized access.
So, what happens if the user leaves the computer unattended? Does the system know that it is the same person using the computer who was authenticated on the login screen, or someone else who came across an unlocked and unattended computer? What if this computer is at a hospital with private patient data on it? Or at a bank or financial institution with access to millions of bank accounts?
How can an organization implement robust security policies that go beyond the first and only authentication, to make sure data is not put at risk at the most commonly breached endpoint in network security – the person using the computer?
Continuous authentication is a mechanism that regularly validates the authenticity of a user after the user has logged in for the entire duration of the session. Continuous authentication targets the biggest risk factor in computer security – the people leaving unlocked and unattended workstation. It guards against tailgating – the act of taking over an unlocked computer by another person (session imposter) when a user leaves to go to lunch or a meeting. It also guards against piggybacking - when a user knowingly allows an unauthorized person access to their system/session.
The ideal continuous authentication mechanism would be a combination of several authentication schemes to provide the best workflow for the end-user and the highest level of security for the administrator. Importantly, it should be completely transparent to the user - it should run all the time but require no user input. Examples of continuous authentication mechanisms.
Presence-based authentication: Detecting the presence of a user using a key (token or smartphone) for proximity scanning is a form of continuous authentication. The computer constantly scans for the presence of the key’s wireless radio signal to continue verifying the user’s presence. When the token leaves the vicinity of the computer, the machine locks thereby preventing any unauthorized access. A limitation of this approach is that it requires users to keep a token/phone with them.
Biometric authentication: Facial recognition devices can be used to make sure the verified user is still present and locking the session when the user moves away. With modern image and video matching algorithms, such a solution can achieve high accuracy. However, it may not be a practical solution in many circumstances such as a hospital where face masks and PPE gear are commonly used. Voice authentication can serve the purpose of continuous authentication as well but may introduce complications in noisy environments.
Behavior/Activity based authentication: Developing a behavioral model of the authenticated user over time can help with detecting non-conformal use of the computer. This can include using typing, mouse movement, and/or website activity to determine presence. By building a user’s behavioral signature such as typing dynamics (or “typing rhythm”), mouse movement, and even walking speed using a phone’s accelerometer data, authentication software can then prevent access whenever real-time use of the computer starts deviating from the user’s behavioral model.
Benefits of continuous authentication over static authentication
Dynamic security over one-time logins: One-time authenticated logins are like checking someone in at a gate - you don’t know what they’re doing once they’re inside the building. Static authentication methods are simply not robust enough to deal with the ever-changing environments: multi-terminal access, shared accounts, laptops at home, etc. A good continuous authentication solution will consider as many environment and human factors as possible, rather than hoping people can be trusted.
Less reliance on people: Providing strong security throughout the entire session and accurately determining how to end sessions are the key goals in continuous authentication. By not requiring any user interaction during continuous authentication, reliance of people to think about security is greatly reduced.
Less stress for admins: Admins stress because their users make terrible decisions with regards to security. Users will avoid authentication-related tasks like the plague and find many ways of undermining an administrator’s security for a little convenience. Using a robust security solution to continuously monitor users throughout their entire session is the only way to cover the most security vectors as possible.
Administrators and risk officers must start looking beyond basic authentication, as an effective continuous authentication mechanism can not only augment the traditional login, but can also greatly reduce the endpoint security threat by automatically securing all unattended