Back

Continuous Authentication is Changing the Authentication and Security Landscape

January 23, 2019
3 minutes read
Category: Mobile Identity
Author: Stefan Kostić

In 2010, when Wired announced the death of web and the rise of apps, many were skeptical. How bold a prediction, although based on data and simple logic.

Now, apps rule our lives. We take apps for granted, and login & authentication have become the cornerstone of our everyday activities.

Many tasks depend on us being able to login to a plethora of apps, and to do that we must remember our login credentials or rely on connecting them to other login services and/or password manager apps.

In recent years, due to growing security concerns, we also started relying on 2FA (SMS, third-party apps, hardware tokens…). This is adding a layer of complexity while not actually adding a lot security – because threat factors found ways to intercept SMS, as well as to take over victims’ SIM cards. Also, in many cases users opted not to use 2FA to be able to login faster.

Enter, continuous authentication.

New Way of Thinking About Authentication

This relatively new term shows a change of paradigm when thinking about authentication. Instead of it being an event that happens once in a while during app usage (usually as the first step in using it), it becomes a process that protects the entire session.

And this is crucial due to something called – decay in authentication. This term describes a cyber phenomenon that happens once a user logs in. At that moment their authentication level is very high, but as the time passes on – authentication level lowers. The rate at which it goes down varies – depending on user activity, device location and activity of other apps, protection of the device and the network it is connected to…

For instance, if a user logs in, uses the app and does not change to another app – authentication level is going down but slowly. And in case of a user logging in, using the app and the app and device go idle, authentication level is becoming lower at a faster pace. And if the user didn’t lock their screen – it goes down even quicker.

How Continuous Authentication Protects Users & Organizations

Continuous authentication is the answer to decay in authentication. It prevents malicious actions by constantly computing an authentication score which measures how high the probability of account owner using the devices is vs. it being taken over by someone else.

Taking factors I mentioned, and many others, into account it changes the score in real time and decides when it needs to ask the user for additional credentials.

For instance, if we look at mobile banking – the app will ask for user credentials at login and then the user will go into the account and ask to make a transaction, without any idle time in app usage. Things will go smoothly, and no additional verification will take place.

Another user, let’s say, logs into the m-banking app, then puts the phone down while finishing some other work, and then continues with making the transaction. But now, there is additional verification active to make sure that in these 30 seconds of idle time no one else took over control of the device and/or the app.

This is continuous authentication in action!

Factors that are used to calculate the authentication score can also include the time of day, risk assessment of the user’s role within an organization, sensitivity of the data and/or actions the user can take, location… With more data points to take into account, continuous authentication will work better, and ask for user input only when actually needed.

IPification & Continuous Authentication Fit Together

In the modern landscape, with mobile devices taking more important roles in our private and business activities, continuous authentication will become something much more than a trendy term.

It has the potential to massively increase user security by limiting the impact of compromised credentials, data breaches and intentional sabotages. And at the same time, it can improve employee productivity by not disrupting the way we go about our everyday activities.

And here IPification fits perfectly. Our solution improves user experience while actively asking for verification – either during login or at any point during app usage. But more importantly, it can run in the background and continuously check if there are any changes related to the device and its SIM card, to help mitigate any unwanted actions.

In tandem with a solution that will continuously calculate the authentication score, IPification has the ability to help put continuous authentication in every users’ pocket and make sure it is actually used due to advantages over alternative solutions in terms of UX and privacy.

With minimal user interaction when active verification is needed – IPification makes user experience as smooth as possible and makes sure verification is done, while the privacy is maintained as all the verification is done on the mobile operator side without any private user data being sent, which is one of the things that make biometrics a less secure method.

I am looking forward to continuous authentication becoming an important cybersecurity pillar in many organizations. It is on the verge of doing so, while we are working on making IPification an important piece of the puzzle in this new world.