By Ryan Zlockie
Authenticating a user’s identity is one of the basic cornerstones of cybersecurity. However, this is still one of the most compromised areas that lead to successful breaches. One main leading cause is that passwords are still mainstream and are easily stolen, guessed, social engineered, or hacked in a variety of other ways.
Also, traditional authentication is only performed during time of log on, which is just one area of protection and now—given the sophistication of attacks—there needs to be a broader view. It is just as important to know who is still in control ten minutes into the session as when the initial log-on request was made. A 2016 study by Bankrate.com found that 41 million Americans have had their identity stolen. The sheer number of breached credentials available to hackers means it’s become far too easy for bad actors to bypass traditional security measures and access accounts with stolen identities.
To respond to this problem, many organizations are starting to move toward multi-factor authentication which is a huge step forward from the username and password approach. While traditional multi-factor authentication is more secure than passwords, it can be more frustrating for the user if the authentication factors are too onerous. Additionally, it still does not protect against attacks when a bad actor takes over the session while the user is logged in.
To address this gap, the security industry is building out a new type of authentication that uses additional types of data to identify a user’s behavior, transaction patterns, and other forms of device security to provide stronger security at time of access and continuously throughout an entire session. Continuous authentication analyzes multiple factors, such as data, behavioral and usage patterns, in real time to either positively identify a user or signal a breach in security. This technology is still being fully developed, but some of the factors continuous authentication measures include behavioral, session patterns, and biometrics.
By analyzing behavioral patterns such as a user’s typing cadence, pressure sensitivity, and other identifiable user characteristics can provide data for continuous authentication and can help determine whether a user is a trusted identity.
Anomalies in the time a user spends on a transaction, deviations with the types of transactions, the type of data accesses or edited during a session can help determine if their account is being compromised. For example, if a user spends a humanly impossible or short-time on a session in which many actions were completed, it may indicate that a bot was copying and pasting, rather than a user typing.
This is area is expanding as more types of biometrics are supported by the major Mobile OS providers and other vendors are taking advantage of the rich data provided my sensors on devices. The biometrics now commonly include face, iris, voice, and fingerprint. The ability to take advantage of multiple biometric, especially those are passive such as face can provide a continuous monitoring of who is in control during a user session.
Continuously analyzing a larger amount of data to manage the risk level of each user session significantly reduces the possibility of fraud and increases user protection. For continuous authentication to work effectively, there needs also to be a constant dialogue between an application and its authentication platform. However, there are currently no standards for this type of communication specifically for continuous authentication.
The benefits of continuous authentication are far reaching and there’s certainly no shortage of data to inform this new technology. Continuous authentication offers the industry the opportunity to share security information that identifies the root cause of threats and adds context to the data. The security industry is collecting unbelievable amounts of data right now and if it is kept in silos, we’re missing an opportunity to make better decisions about the right person, accessing the right data, at the right time and location.
Organizations are increasingly interested in continuous authentication and the security industry is funneling resources into answering the concerns and overarching questions that are standing in the way of wide implementation of this technology. Once continuous authentication continues to become more mainstream we’ll see it used by banks to protect consumers’ financial information, by enterprises to protect access to company data, and by mobile apps to secure transactions and protect users’ personal data. Enabled richer data, it’s the behind-the-scenes watchdog protecting consumers and companies alike. SW
Ryan Zlockie is the global vice president of authentication at Entrust Datacard. He leads the company’s global software product efforts, as well as the authentication business segment. He has more than 17 years of experience in security technology for global, midsize, and startup companies.