Our own Stefan Kostic wrote about it and its business implications some months ago.
Since Gartner popularized the term some years ago, it has become a buzzword in the authentication industry — and with good reason. Let me take you through it.
Continuous authentication, sometimes called CARTA for “continuous adaptive risk and trust assessment,” is seen by many as the effective solution to the never-ending list of security challenges businesses, their employees, and end-users face every day.
How is it so effective, then?
As my colleague Stefan wrote, in addition to the initial authentication checkpoint, which most of us are used to, continuous authentication gives equal value to post-authentication checkpoints.
If I told you that a cyber-attack occurs every 39 seconds, you might start to understand why such thorough authentication has become crucial to securing today’s digital ecosystem.
An ongoing authentication system
Continuous authentication battles something called decay in authentication.
What this means is that every user at every point in the usage process has an authentication score. This score is at its highest after the initial authentication checkpoint. After that, the longer their usage goes on, this score drops — or decays.
Let’s say you want to pay a bill from your m-banking app. You log in, start the transaction, and then leave your phone for a while because something else pops up. The longer your phone is in this idle state, the more susceptible you become to cyber-attacks.
Now, most e-banking apps would log you out at this point, but this isn’t always the case — and especially not with other apps out there that hold other types of sensitive data.
This is precisely where continuous authentication becomes essential.
Ideally, your identity should be verified on an ongoing basis to ensure that your session has not been taken over by a hostile party. This process is done a little bit differently from what you are used to with the traditional initial authentication processes.
Continuous authentication relies on something called the baseline behavior profile, which uses the following three factors that describe how a certain user interacts with their device:
- Cognitive factors (the speed of interaction, the way a user glances at their phone)
- Physiological factors (hand used, the pressure applied, etc.)
- Contextual factors (location info, device info, time of day, etc.)
While to an everyday person this might seem way too futuristic for the tech most of us have in our pockets, this isn’t actually the case.
Let’s go through how all of this would look like in practice.
Continuous authentication learns the “normal” usage pattern
To be able to verify the normal usage pattern of a certain user, the continuous authentication system in place would first have to learn and later track.
How do you usually pay your bills?
If you’re like me, you’d be at home, log into your m-banking app, and transfer the funds then and there. This is the type of information a continuous authentication system would learn.
Now, imagine this. You’re at home. You log into your m-banking app to pay your bills. Your child suddenly needs immediate attention and you leave your phone. Twenty minutes later, someone logs into your account from a location in a different country. That’s definitely not you, right?
Continuous authentication jumps in. The user is asked to re-verify their identity, thus ensuring security.
You might be thinking, “But, what if I am paying my bills at work during lunch? What if I am on vacation? That just seems like a hassle.”
And you’d be right. It would be a hassle, and that’s where we get to one of the main issues with implementing continuous authentication systems — user security vs. user experience.
I won’t bore you by repeating ourselves — those of you who regularly read our posts know where we stand when it comes to this issue. We need both security and UX at the same time!
And how do we provide this balance?
One of the first things to come to mind is biometrics, which provides additional security, yet the user experience is still easy. Face ID, for example, could scan your glances while using a certain app and easily re-verify your identity.
However, it’s important to note that while they provide a great user experience, biometrics just fail too often. Whether it’s false rejections or false acceptance, it’s not only your security that is compromised but, ironically, the UX as well.
This doesn’t mean we should move away from biometrics completely; these methods still have quite a lot to offer. Instead of relying solely on them, we could take advantage of the benefits they provide as a part of a larger MFA system.
Continuous authentication goes hand-in-hand with MFA
It’s important to make a distinction between these two buzzwords.
Continuous authentication isn’t here to kill MFA. Instead, we want to use MFA to strengthen the continuous authentication system.
What would this enhanced MFA look like? Let’s break it down.
Ideally, the very first authentication checkpoint could rely on UX-straining methods such as 2FA (but in no way, shape or form the SMS OTP version).
After that first check, compromising UX is no longer an option.
Biometrics could come into the game here. Depending on the risk assessment, users’ faces are scanned to maintain minimum security levels.
Now, whether such measures can be implemented — in terms of both reliability and user privacy — would be up to individual organizations to determine.
And that’s where IPificaton can step in and help.
It would verify a user’s identity based on contextual factors — namely their location, their phone number, network factors, and device information.
Beyond the initial authentication where a user clicks to request authentication with IPification, the authentication process can happen seamlessly in the background.
It’s important to note that no sensitive user data is transferred. Our proprietary algorithm verifies user data against information the mobile network operator already has, thus eliminating any user privacy issues while still upholding high security standards.
In theory, continuous authentication is just what we need to navigate today’s ever-so-sensitive security landscape. In practice, its implementation is only possible if we make sure the whole process is frictionless as can be.
