Traditional ways of authentication have remained relatively unchanged for decades and need updating. Verifying a user’s identity is a fundamental part of cybersecurity, and with the fast-paced digital advancements as well as the increase in cybercrime the traditional means of authentication no longer ensure the most effective security and need to evolve to be fit for purpose for now and into the future, to keep us secure, and to provide sufficient security and reassurance at home and at work.
Authentication as we know it
Authentication is a term known and understood by many and a practice that is undertaken by many more, even if their understanding of it is not always clear. People are authenticating in the workplace and at home, even the youngest of children are doing it. We methodically follow the steps to authenticate multiple times a day to login to our wearables, devices, online accounts, applications, and to fulfill numerous daily tasks.
User authentication often relates to a person’s initial interactions with a system. The safeguard, mostly an initial one-time verification, implemented by the classic login screen is not as safe as it may have been decades ago. Things have changed: technologies have quickly advanced, devices have multiplied as well as the number of people utilizing devices in all of their forms to access systems, services and applications have grown exponentially. More importantly, the traditional means of authentication is no longer suitable to ensure effective protection of the ever-growing sensitive data that we process on these devices and systems.
We share devices and accounts with colleagues and family members and ordinarily use interlinked accounts and services. How can we be sure that the user that successfully logs on to a system, remains the validated user throughout the session?
The one-time verification of a user at login is no longer sufficient. We need to move past this. We need to advance from depending solely on the notion of verifying users only at initiation. We need to ensure that after a successful login that the entire time the user is in the session that the user continues to be validated throughout.
Some may believe that two-factor authentication has them covered, but this is not sufficient either. Two-factor authentication does provide an extra layer of security by enabling the user to confirm their identity through many devices, but it is not continuous validation of a user’s identity. Once the user identity is confirmed, and the session is opened no further confirmation is required during that session. Anomalies during the session are not picked up.
Why is this one-time means of authentication a problem? Well, what if you step away from your device or machine or someone else takes over your session, both physically or remotely. There is no way of knowing that the person that initiated the session after successfully authenticating remains the same person throughout and vulnerabilities can go unnoticed unless continuous authentication is taking place for the entirety of the session. What if you share your device with another colleague? We often just assume that nothing malicious will come of it, yet, internal threats are a reality.
Continual user validation is an essential requirement to ensure adequate security and provide the much-needed cybersecurity reassurance. Without a doubt, authentication is a crucial part of cybersecurity, and it should not be a one-off event but rather a constant process.
This is where behavioral biometrics (behavior and physiology that are unique to each individual) have a significant part to play. Modern advancements in technology, hardware, and software, have made continuous authentication, which previously may have been only possible in theory, an achievable reality. Previous attempts to continuously authenticate may have been too disruptive and just annoying for users (password prompts mid-session often used), but now by using other more user-friendly techniques users can be continuously authenticated without even being aware that it is happening.
Using user behavior and physiology to verify continuously
Spotting variances and inconsistencies in behavior and user interaction with a system or by monitoring a user’s physiological characteristics continuously in the session can be used to validate users continually. Any changes can be picked up, and if the user’s identity is in doubt, the user can be kicked off and locked out. Using techniques involving keystrokes, video, fingerprints, touch (finger pressure applied), facial features like eye position, pupil size, how often someone blinks, and so forth are all possible methods that can be used.
Types of user actions that could be used to verify continuously include:
- Authenticating with movement: Sensors that can monitor a user’s unique physical way of moving. This could be a particular way a user walks while holding a phone or specific hand positioning and movements when carrying or using a device.
- Authenticating with facial features: A user is authenticated when they glance at the device. Face ID is used for many authentication purposes (accessing a mobile phone), but this is can also be a discrete way to authenticate users continuously.
- Authenticating with behavior: By looking at a user’s ordinary behavior patterns and tracking behavior continuously, for example, interactive gestures, how a user types or taps, finger pressure, how long a user holds a key on a keyboard, how they swipe or use a mouse — any variances in behavior from the norm can be highlighted.
- Authenticating with voice: A user can be continuously authenticated by monitoring their voice, for example, noting changes in pitch and frequency. The way in which people speak and form their words is unique to them. Out-of-the-ordinary characteristics can be picked up when continuously monitoring voice against a control conversation used as a reference.
With machine learning, using behavioral biometrics for continuous authentication is possible. You can ensure a user is who they claim to be throughout a session (not only at a single moment in time) and without needing the user to do anything or take any action to prove it. (Although there is some pushback against the use of biometrics.)
By monitoring how a person behaves or a person’s physiology to authenticate continuously makes it easier to stop imposters, bots and fraudsters with criminal intent — right in their tracks. Security is definitely improved, and user experience is not impacted.
Cybersecurity and continuous authentication
User authentication is a primary component of a good cybersecurity strategy. Organizations need to verify a user’s identity when accessing a system, application or network. To ensure security is continuously upheld though, traditional authentication processes are no longer enough to effectively achieve this. The majority of threats to security happen during an authenticated session.
Users verify their identity at the start, but after this one-off verification, the systems in use are vulnerable while the session remains open. The vulnerability can be introduced in many ways: by the obvious — a user getting up from his computer and moving away which could result in someone else taking over. Or the not so obvious — a malware infection could be introduced resulting in a system or account take over. Also, many people tend to not log out of authenticated systems and applications when done, and instead just close a browser or click the home button on a mobile device. This often results in sessions remaining open and authenticated by the user for extended periods —this could sometimes be for days or even weeks.
Some apps allow for this extended period of authentication whereas others log out automatically after a period of idleness. So, the reliability and integrity of an online session are not assured throughout and although security assurance is relatively high, to begin with (at login), many events can take place after the fact that may result in security deteriorating during the session time.
Without continuous authentication, organizations are more vulnerable to many attack vectors and cybersecurity threats. Open sessions are vulnerable to take over when someone stops using them, and credential stuffing and phishing are all possible threats.
Cybersecurity threats including malware, remote access, bots, and Trojans are easier to pick up if continuous authentication is used. By using behavior and physiological characteristics variances and suspicious behavior patterns can be identified and cyberthreats and account takeovers averted in real-time.
Continuous authentication can provide the increased levels of security that many organizations require to improve their cybersecurity posture and this can be achieved in the background without impacting the way in which users work.
Authentication is changing and it should
Today’s advanced systems, applications, and devices and the highly connected environments in which we work and live require improved authentication to secure them and the sensitive data processed.
Traditionally, continuous authentication was more hassle than it was worth to users and the impractically of authenticating while in session by entering a pin or a password to prove your identity was inconvenient and just annoying. But with the advancements in hardware and software, numerous methods can be employed to continuously prove users’ identities without them having to action anything. It can happen in the background and seamlessly.
Although this means the hindrance of continuous authentication is put to rest, new challenges of user acceptance may come to light. Perhaps this level of authentication may be a step too far for some. Many may disapprove of the seemingly invasive means of authentication. People may not be entirely on board with the concept of being passively tracked, monitored, and watched as they go about their business. Moreover, privacy implications may be apparent too, and compliance issues may arise. Getting the correct balance (as with many other security situations) is key to its acceptance and success.
Nonetheless, utilizing behavioral and biometric capabilities in this way (for continuous authentication) seems like the way forward. As the alternative, to not continuously verify that a user is indeed the same user throughout, the same user who authenticated at the start, leaves no sure way of knowing who or what is accessing and using a system, device, application or network at any moment in time.
For effective cybersecurity and a more reliable and secure identity and access management strategy, continuous authentication is vital. Authentication can’t be a one-and-done event but should be a real-time fluid process.
Featured image: Shutterstock
