User authentication is one of the basic components of any cyber security program. Identifying an individual based on a username, password or other means helps companies ensure that the person is who he or she claims to be when accessing a system, application or network.
But in some cases traditional authentication processes are not enough to provide strong security throughout a user work session. That’s where continuous authentication comes in. The concept is still relatively new, and experts say few products yet exist in the market. But it’s gaining more attention as companies look for ways to prevent unauthorized access to their critical business data.
“Continuous authentication is form of dynamic, risk-based authentication, [which] changes the perspective of authentication from an event to a process,” says Frank Dickson, a research director within IDC's Security Products research practice.
“Dynamic, risk-based authentication examines attributes that change and continually looks to validate the authentication,” Dickson says. Currently, most of the uses cases for this type of authentication are based on analyzing the manner in which a person interacts with a device such as a smartphone or notebook, he says.
A shift to continuous authentication is inevitable, but it’s really in the early days of development, says Mark Diodati, research vice president at Gartner.
“The technology is compelling because it solves a lot of security and usability issues,” Diodati says. “Typical authentication today might be a password at the front door to authenticate someone, but over time the security of the session decays.”
Whereas confidence of authentication is quite high at the beginning of the process, a variety of events can take place that weaken security, Diodati says. For example, a user might walk away from his desktop computer briefly and someone else takes over the session, or malware infecting the system can take over as well.
“The longer the duration of the session the more likely there is to be decay in authentication,” Diodati says.
Continuous authentication takes place not just at the start of a session but the entire time a user is accessing a network or using an application. The technology “works behind the scenes, looking at how users behave: the way they type on the keyboard, how quickly they move between the keys, how long they hold a key, how they swipe on mobile devices, how they move a mouse,” Diodati says. “All of this contains information about the user.”
The analysis of the information provides an extremely high likelihood that a particular user is the person he claims to be. That’s because everyone acts in unique ways when working at a keyboard or other access device. In fact, one of the key components of continuous authentication is user behavior analytics, which helps determine the true identity of a given individual.
In a report released in October 2016 on worldwide security spending through 2020 by International Data Corp. (IDC), the research firm notes that user behavior analytics software will be one of the fastest growing segments of the security products market. IDC forecasts a compound annual growth rate of 12 percent for these products.
The number of vendors providing continuous authentication today is small, but they say they are seeing growing demand for their products.
One such company, BehavioSec, offers a product that analyzes activity from login to logout, looking at behaviors such as keystroke dynamics, touch and mouse motion, and compares it with previous interactions from the same user.
Among its customers are early-adopter banks in Europe that have deployed BehavioSec as part of their security platforms, and the company has received interest about its technology from some of the largest banks in the world.
Another vendor, BioCatch, offers a platform that continuously authenticates users during their online sessions, protecting against cyber threats and fraudulent activity such as social engineering, account takeover, remote access trojans and other malware.
The company is currently monitoring more than 2 billion sessions a month to provide real-time fraud prevention, according to a spokesperson. The product is being used by a number of banks and other financial services firms.
And Entrust Datacard, a provider of trusted identity and secure transaction technologies, is preparing to offer continuous authentication by expanding its adaptive authentication capabilities and launching partnerships with other companies, according to a spokesperson.
For example, in February 2017 Entrust announced it had entered into a partnership with Iovation, a provider of device-based authentication and fraud prevention solutions. The partnership combines Entrust Datacard’s adaptive authentication product with Iovation’s device- and risk-based authentication services, which tap into a knowledge base of more than 3.5 billion devices.
One of the benefits of the technology from a users’ standpoint is that it does not require people to do anything special to authenticate themselves during a session. The technology does the authenticating automatically while the user works.
“If you wanted to you could, in theory, set up a session that never even asks for a password,” Diodati says. “With traditional authentication it’s hard to do this.”
In addition, continuous authentication has the potential to provide extremely high levels of security for organizations that is also not feasible with current access systems.
That’s not to say the development and deployment of continuous authentication tools will come without challenges. One of these might involve user acceptance, or lack thereof. Even though it works behind the scenes, the technology can be invasive. Not everyone might appreciate the idea of being constantly under some sort of surveillance while working from a desktop or mobile device, Diodati says.
Because it works behind the scenes, “the technology is very invasive to the application,” Diodati says. Building applications that require constant evaluation of user actions is hard work for developers, much more complex than building front-door log-ins and password access. For that reason, it might be a while before a large number of offerings are available for purchase.
Then there is the issue of fine tuning the continuous authentication systems. There might be instances of false acceptance, when users who are not authorized to access a system are able to fool the biometric access tool to get in. On the other hand, there can also be false rejections, where legitimate users are denied access because of an incorrect reading.
“Those things need to be pushed down to very low percentages,” Diodati says. “A lot of maturity needs to occur to drive down those types of errors.”
Some of the earliest deployments of continuous authentication to date have been in the European banking industry, where regulations for user authentication are particularly stringent, Diodati says. Some of those implementations are in the pilot phase.
Continuous authentication will not likely become a mainstream security technology until some time in 2018, Diodati says. He expects to see initial adoption in industries requiring a high level of security and that frequently require user work sessions of long duration. These include financial services, aerospace, government, healthcare, high technology and manufacturing.
“We’ve been talking about this for a very long time but didn’t have the big data/analytics capabilities and the mobile platform architectures until recently,” Diodati says. “It has been just a concept until now, and we’re starting to see the technology that can make it work.”