Interview: “Continuous Authentication Stands At The Root Of Zero Trust”

It goes without saying that in today’s threat landscape, making sure the right people are accessing your critical systems and sensitive data is one of your security teams’ most vital jobs. But with the prevalence of phishing, employee impersonation, fraud, and other malicious attacks, it can be all too easy for a bad actor to enter your system and go unnoticed until it’s too late. 

Continuous authentication is a growing concept that’s based on the idea that organizations should constantly authenticate user identities throughout a user’s entire engagement with a service, network, or system—rather than just once on login. It’s also a pretty fundamental step in facilitating a Zero Trust environment, which is based on this same principle of continuously authenticating user identity. 

But how can organizations implement continuous authentication without creating a frustrating and tedious user experience? Biometric authentication company TypingDNA has come up with an answer. 

TypingDNA was jointly founded in 2016 by current CMO Cristian Tamas and CEO Raul Popa. Together, they created an innovative behavioral biometrics solution that works by authenticating users conveniently and securely based on the way that they type. 

Starting out with its two-factor authentication solution Verify 2FA, which enables users to use their typing biometrics as their second factor of authentication, TypingDNA launched its new continuous authentication solution ActiveLock in January of this year. 

We spoke with Tamas to find out more about how ActiveLock works, the key challenges that the product is helping to solve, and how it can provide a more secure and frictionless user experience than more traditional methods of identity authentication. 

What led you to co-founding TypingDNA?

We started this company about six years ago. My co-founder had studied graphology, which is the idea that you can identify and profile a person based on the way that they write or paint. TypingDNA was born from this idea. If users can be identified in the analog world based on their handwriting, then it would be cool to have this ability to recognize someone in the digital world based on their typing. 

This company actually was not born out of working in the security industry—it was born out of our passion for this typing-based technology. But we fell in love with the idea of having this used as a security tool.

What are the key challenges that TypingDNA is helping its users to solve?

We should note that TypingDNA only authenticates users, it doesn’t identify them. For example, our technology doesn’t identify you from a list of, let’s say, ten thousand people—that’s very difficult to do based on typing. What we do is authenticate. We know it’s you who’s supposed to be using your device or logging into a certain website and we check that the person is using it.

Right now, we’re focusing on addressing the remote workforce. A lot of companies have to adhere to compliance requirements—like how you protect your data or how you protect physical access to your device. So, they will secure the physical office environment with key cards and so on. But with people working from home, organizations have had to re-think how they can stay compliant and make sure only authorized employees are accessing company computers. 

Then, you also have to protect your customers’ sensitive data, because now employees can access this from the comfort of their homes. And this is where we thought, “okay, once a user has logged into their laptop or whatever they work from, how does a company make sure that it’s not someone else using that device and has access to all that sensitive data?”

This is why we’ve developed a new continuous authentication product called ActiveLock. It’s a product to help employees make sure it’s the right person accessing the device—and it’s verifying continuously.

How it works is, you have this app on your device that constantly checks whether it’s really you who’s using the device based on the way that you type on your keyboard. If someone else uses your computer, it will recognize that and lock the computer. This can help organizations avoid potential data leaks, misclicks on different links, and so forth. 

We also have a product for two-factor authentication called Verify 2FA, which uses the same typing-based technology to authenticate users in many different scenarios where two-factor authentication is needed. For this product, users can authenticate their identities simply by typing four words instead of waiting for one-time passcodes or downloading an authenticator app. 

How easy is the product for users to sign up for and to use? Does it provide a better user experience than more traditional modes of authentication? 

Setting up ActiveLock is very similar to how you might set up your biometrics on your phone—first, you have this enrollment phase, where you have to place your thumb on the sensor at many different angles or turn your head up and down for the Facial ID. 

It’s the same process with setting up typing biometrics—except during our enrollment phase it runs automatically in the background while you’re doing your work. When it has enough samples of your typing behavior, it will automatically switch from the enrollment phase to protecting your device. You don’t have to do anything extra—just use your device as you normally would. 

Businesses then have the option to decide how tolerant or how secure the solution is. The more secure it is, the more sensitive it will be. But the way that we build the algorithm means that it continuously learns your behaviors and typing habits, too. So, over time it grows more familiar with your behavior and becomes more accurate. 

How do you ensure user privacy? 

Users love our technology because it’s non-invasive. We don’t look at or store what people are typing. The solution doesn’t know what you type, only how you type—your typing speed, keystrokes, and a number of other things. 

And the product also isn’t communicating with your internet or storing anything on the cloud, either. Everything stays on your machine. 

What happens when a user’s typing ability is impaired (by an injury or other) and they can’t type as they normally would? Are there any fail-safes to enable them to access their accounts?

It depends on the product they’re using. 

For the continuous authentication product ActiveLock, a company IT administrator can choose to temporarily deactivate the product. 

For the two-factor authentication product Verify 2FA, if you can’t authenticate by typing the four words, then we fall back on SMS or email OTPs. 

What’s your advice for organizations considering implementing a continuous authentication product?

What’s on most companies’ and security leaders’ minds right now is zero trust—the idea that you should continuously verify anyone accessing your network as opposed to the static verification that we are used to. 

Continuous authentication constantly verifies and re-verifies that it’s the right employee using that device. So, continuous authentication stands at the root of zero trust. 

Thanks to Cristian Tamas for participating in this interview. You can learn more about TypingDNA and the ActiveLock solution via the TypingDNA website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions.