Continuous Authentication: Security for an Evolving Threat Landscape
Employees enter login credentials and, once authenticated, gain secure access to valuable network resources and applications. However, requiring users to go through the authentication process only once is turning out to be a risk factor in itself. This process leaves organizations vulnerable to risk every time an employee steps away from their desk, clicks a link, shares a password, or misplaces a mobile phone. If a user authenticates only at login, credential misuse mid-session can go unnoticed. Continuous authentication, on the other hand, monitors the ongoing sessions, identifying user legitimacy in real-time. When red flags are raised, authentication challenges are immediately issued.
With continuous authentication, organizations can set up periodic “verification checkpoints” every few minutes or every few hours depending on the sensitivity of the information requiring protection. Alternatively, authentication challenges can be triggered when a suspicious event is detected; for example, a request for network access at an unusual time or an atypical change in browser language. Fail the challenge, the session automatically ends, and IT can be notified.
How Behavioral Biometrics Support A Continuous Authentication Framework
There are potential downsides to continuous authentication—one of the most apparent being user friction. Few would disagree that asking users to interrupt work to answer a challenge question or enter a credential is massively inconvenient.
Behavioral biometrics can minimize these inconveniences and the friction they cause. The technology works behind the scenes to analyze users’ behaviors (e.g., how a user types or holds a mobile device) against their unique profiles in real-time.
With ongoing advances in AI and machine learning, the promise of using behavioral biometrics to drive reliable, frictionless, and continuous authentication is real. Three factors are required to make it work and include:
- A robust feature set with a full array of authentication factors, broad MFA capabilities, adaptability to existing infrastructures, and coverage for all applications and users.
- A risk-based approach driven by machine learning that takes the profile of users requesting network access into account when determining requested transactions’ risk profiles.
- The flexibility to align authentication with the sensitivity of actions or data from the lowest to highest assurance levels—from causing impacts such as user inconvenience (level 1), to financial loss (level 2) to criminal violations (level 3) and more, as detailed by NIST (National Institute of Standards and Technology).
The Right Authentication for Today and Tomorrow
Verifying a user’s identity is fundamental to cybersecurity, and the first step is moving beyond one-time authentication. Behavioral biometrics are moving the security industry in the right direction. Advances in AI and machine learning are taking it even further.
Is seamless, frictionless, and continuous authentication in our future? The emergence of vendors already offering next-generation authentication capabilities is a positive sign. HID Global is one such company.
Get the latest blogs on identity and access management delivered straight to your inbox
Jeff Carpenter is Director of Cloud Authentication at HID Global. In his 15+ years in cybersecurity, Jeff has held positions with several top tier cybersecurity and technology companies including Crossmatch and RSA, a Dell Technologies company. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.