Authentication is undoubtedly one of the most crucial aspects of cybersecurity today, but our understanding of how to verify users and their actions has been largely unchanged for decades. It always works the same: the user provides something they know (password), have (ID), or are (fingerprint) and if this input matches what the system knows about the user, a session is initiated with the user's privileges. The resurgence of continuous authentication in the security conversation signals a perspective change in our industry: From authentication as an event, back to authentication as a process.
The world is changing quickly; wearables, smart devices, and laptops have profoundly impacted the way we work. Today’s knowledge worker frequently switches between and share devices with coworkers and family. Also, what we do has changed. We are using many different interlinked accounts and services all at the same time.
This makes organizations vulnerable to three attack vectors:
1. Session imposters: Attackers attempt to take over sessions that are open longer than the employee is actually using them.
2. Credential stuffing and password spraying: 50% of passwords are duplicates because employees aren't able to memorize enough passwords. Attackers abuse this by collecting credentials leaked from other services or by making attempts based on a list of common passwords.
3. Phishing: The frequent entering of passwords makes employees negligent when verifying the origin of login requests.
All these attack vectors can be alleviated by employing smarter authentication technology. To achieve this, we have to rethink how we approach authentication as a whole.
Continuous Authentication Today
With continuous authentication, instead of a user being either logged in or out, your application continually computes an 'authentication score' which measures how certain it is that the account owner is also the one using the device. For the sake of simplicity, imagine this score as a number between 0 (not authenticated at all) and 100 (complete confidence). If we are not confident enough to warrant, for example, a banking transaction, we can prompt the user to input more information (password, card, fingerprint). If we detect an action that indicates that the user changed we can also decrease this score, essentially making an explicit log-out obsolete.
Another key advantage of continuous authentication is that companies can now assign each user action constraints based on tolerable risk or context. These constraints can consist of a minimum confidence score (derived from the tolerable risk) and more factors like location of the user, whether other people are present or even the time of day. This can minimize the exposure of the most sensitive credentials and relieve a lot of stress on the users because they don't need to manage many complex passwords. A variety of technologies already exist to support continuous authentication, including Face ID and fingerprint readers in smartphones.
Although biometrics are easy to use and seem like a perfect replacement for passwords, they have their own set of drawbacks which means passwords will still be needed in a world with CA – especially to secure high-risk operations. The reason biometrics can't replace passwords entirely is that biometric information is immutable: You can't change your fingerprint or behavior and once its stolen there is no way to reset. They still are a valuable asset to supplement other authentication technologies though.
Is Continuous Authentication Right for You?
Go over the actions that your users can perform and think about them in terms of acceptable risk and context. Example: Watching your newsfeed should not require the same authentication score as committing a financial transaction. If the former is accessed by an imposter, the consequences are minimal. Use this to build authentication policies for different tasks that encompass acceptable risk and allowed context (for example, an employee may only be able to perform a certain operation from inside the office). You can already implement some of these policies today, depending on your infrastructure. For example, you can continually verify that a user accesses your service with consistent browser metadata and from a whitelisted IP range. Unfortunately, there are very little mature and sufficiently flexible products for CA infrastructure on the market now. A good way to set up for CA is to centralize your authentication infrastructure. This is needed to design comprehensive and thorough authentication policies that encompass your entire app ecosystem because a system is only as secure as its weakest link.
Continuous Authentication and the Future of Security?
We can already see smartphone manufacturers moving in the direction of continuous authentication, and industry leaders are starting to realize that authentication is a much more fluid spectrum than we used to think. If implemented thoroughly, CA has the ability to massively increase corporate security by passively limiting the impact and likelihood of credential compromise, data breaches, and sabotage. At the same time, it increases employee productivity by not disrupting our modern way of working and user satisfaction with a seamless experience. It is a huge step forward in IT security and can mitigate a lot of issues simultaneously.