Traditionally, users log in to their account at the start of a session. Overtime, the level of security surrounding this authentication decision has increased. We’ve moved on from a username and password combination to multi-factor authentication (MFA) and even the widespread use of biometric factors like FaceID and fingerprints. Today, it is harder than ever for an attacker to log in to an account that isn’t theirs.
However, users are still generally only required to verify their identity once – this is known as “periodic authentication”. Some accounts will stay logged in until you manually log out. Others will ask you to login again periodically, or when your computer “sleeps”. There is one moment when a user has to log in and, if they pass this gateway, they are granted unfettered access to that account. This means that if an attacker does manage to bypass authentication controls, they can browse their victim’s account freely for as long as they stay signed in.
Now, cybersecurity companies are tackling this risk with continuous authentication. Rather than just asking a user to log in at the start of a session, continuous authentication solutions monitor user behavior during a session, to ensure that the right user is the only one using the account.
In this guide, we’ll explore what continuous authentication is and how it works, to help you decide whether your business needs continuous authentication.
What Is Continuous Authentication?
Continuous authentication is a passive security solution. By this, we mean that it is not actively pushing notifications or sign-in windows – continuous authentication is always at work, behind the scenes.
In order to verify that the correct user is accessing the account, continuous authentication will analyze a user’s activity, and build a baseline picture of normal behavior. If any behavior that does not fit with this picture is detected, the continuous authentication solution can flag this and, where necessary, perform a remediation action.
Continuous authenticators will assess data like browser metadata, time and location of use, and passive liveness detection – this is a way of ensuring that the biometric identification presented is “alive” and not an impression of a valid identifier. When analyzed, these features will result in a score that can illustrate how probable it is that the user is the account owner. Continuous authentication solutions will analyze and interpret:
- IP address
- Known device
- Expected time and location
- Operating system
- Expected action (is a user acting in the way they usually do?)
- Sensitivity of access requested
- Typing patterns and behavior
We spoke to Cristian Tamas from TypingDNA to discuss how typing can be analyzed to enforce continuous authentication. You can read that interview here:
“Continuous Authentication Stands At The Root Of Zero Trust”
What Happens If A Fraudulent User Attempt To Gain Access?
Continuous authentication will calculate a score based on how likely it is that a user is the usual account owner. You can think of this score like the percentage of similarity between the current session and the expected account owner. Depending on what this score is, different actions will be permitted, such as granting access to different areas of the network.
For example, web browsing may be allowed as it is considered benign, even if done by an imposter. The continuous authentication solution may, however, require an improved authenticity score before a user is able to download any file from the internet. This is because the act of downloading a file has the potential to damage a network through the introduction of malware. The continuous authentication solution, therefore, will only allow this “risky” activity if it is sure the user is genuine.
Implicit in this system is a degree of tolerance. Depending on how secure the area of the network is, and what actions the user is attempting, a different score will be needed. This score is like a threshold. A solution must be 85% certain that the user is authentic, before granting access to a section of the network, for example.
If, however, the score is not high enough – i.e., there is not enough compelling evidence that the current user is the account owner – continuous authentication solutions offer several remediation options. These options can be configured by admins to ensure that your continuous authentication solution is a good fit for your organization. These options include:
Automatic Lockouts
When fraudulent activity is detected, the device can be locked automatically. If this happens, the device can require an MFA-backed login to restore access, or the system administrator may have to permit the account to be unlocked before the user can login again.
Activity Logging
Alternatively, when illegitimate usage is detected, the actions and areas access can be logged, rather than locking the user out. This can provide useful intelligence into what malicious actors are using and inform how security implementation can be tailored to combat those attacks. In this instance, the user can still be locked out, but it is not an automatic process.
Who Should Use Continuous Authentication?
Continuous authentication is an important tool for organizations that require a high level of security due to handling particularly sensitive information or data. The solution is relatively frictionless to implement and many end users will be unaware of it working in the background. Fraudulent users, however, will be quickly alerted to the software’s presence.
For many sectors, the level of security provided by continuous authentication is not necessary. Its presence will, of course, enhance your security stature, but periodic authentication, when configured correctly, can provide a good enough level of security coverage for most organizations. Continuous authentication is, then, best suited to sectors that demand the high level of security. In these cases, any information accessed will be of significant value – be it intellectual or financial.
Regulated Industries
Banking organizations, for example, will want to ensure that only the correct user is able to make payments and have access to an individual’s economic affairs. If a bank account is fraudulently accessed, it can be incredibly difficult to recover payments made to the accounts of malicious actors.
Beyond the banking sector, industries like tech, particularly sensitive R&D, or manufacturing organizations might chose to implement continuous authentication. Governmental departments may also choose continuous authentication as a means of controlling access and securing data.
Organizations in regulated industries that must prove the security of their privileged accounts may also benefit from continuous authentication. Privileged accounts provide administrative levels of access to critical or sensitive data, so it’s imperative that they be properly secured.
Privileged Access
In sectors where there are significant regulatory data protection requirements, the use of continuous authentication can ensure that only legitimate users have access to specific areas. For example, you can ensure that only accounting staff have access to an organization’s accounts, whilst preventing them from accessing customers’ personally identifiable information (PII).
Enforcing continuous authentication is a clear policy to key stakeholders that suggests how seriously you consider unauthorized access. Effective implementation will ensure that you do not fall foul of any regulatory penalties in the future.
Sensitive Data Handling
This is an extension of privileged access, this time with a focus on the privilege to modify and edit documents. In sectors where documents could have a significant financial, legal, or political impact, continuous authentication is imperative. Be it a law firm, or a governmental department, if sensitive documents were to be accessed or modified by fraudulent users, there could be a significant fall out. By enforcing continuous authentication, you can specify which users have access, and which are authorized to modify documents.
Summary
If traditional, periodic authentication is binary – a user is either authenticated or not – continuous authentication adds a level of sophistication and complexity by assessing a user over time to ensure their behavior is indicative of the account owner.
Unlike enforcing stricter login security – more stringent MFA, for example – implementing a robust continuous authentication solution has no impact on a legitimate user’s work process. As the authentication is continuous and in the background, a user will not notice that it is at work, unless there is a reason to be suspicious.
This ensures that continuous authentication is frictionless and can be widely adopted across your organization with very little pushback from employees, or the need for specialist training.
