Laying the groundwork for continuous authentication

Continuous authentication is an emerging concept—a future ‘nirvana’ state of security that would provide the capability to validate a user’s identity in real-time as they maneuver between systems, applications, and devices. In theory, continuous authentication solutions would use risk signals from a variety of monitoring sources to authenticate users, identify potential threats and proactively remediate the capabilities of any credentials flagged as compromised. However, continuous user authentication remains only a concept today, and not yet an established standard. 

Traditional authentication methods currently used across the industry are static, requiring a user to actively participate in providing authentication factors (e.g. password or PIN, one-time passcode, biometrics) only at the start of the authentication workflow. Conceptually, continuous authentication replaces or augments that active participation with machine-learning backed intelligent risk monitoring sources, including geolocation, changes in biometrics and even behavioral monitoring such as keystroke or mouse patterns, context, and/or other activity patterns.

The drive for continuous authentication

The impetus behind continuous authentication is clear: cyberattacks continue to rise in number and sophistication, and user credentials are at the root of 61% of data breaches. Attempts to increase security with legacy second factors, such as SMS-based OTP, have only led to user frustration and insecure workarounds with 43% of organizations citing user experience as the top obstacle to using multi-factor authentication (MFA). The shift to hybrid and remote work has only intensified the weaknesses in how identity and access management are being managed today. 

Identity access management (IAM) and privileged access management (PAM) solutions have attempted to streamline access control to enterprise applications, often with single sign-on (SSO), assigning individual tokens for each application the user has access to. While some IAM and PAM solutions may apply risk analytics to prompt for step-up authentication, this does not capture the true essence of continuous authentication. Further, the aforementioned solutions are often limited by their own walls, unable to monitor, connect to, or interact with applications that have not been specifically configured – diminishing the overall capacity to manage identity and access with any higher level of automated sophistication or intelligence capable of detecting a threat or anomaly. 

The concept of continuous authentication has been around for quite some time, with researchers as far back as 2004 studying various methods of measuring temperature, eye movement, and click pressure able to provide a continuous authentication of identity above 80% accuracy. Today, there exist some point solutions that apply intelligence to contextual or behavioral data that can be combined with processes and authentication frameworks to dynamically apply access controls. However, for any approach to managing identity or access, if the underlying trust model still includes legacy authentication methods such as username and passwords and even mobile-based authenticators, the identity baseline—the proof that you are who you say you are—is inherently flawed.

The reality is that there are critical steps that need to be taken before we are able to achieve the idea of continuous authentication.

The building blocks for continuous authentication

Modern, strong authentication is one of the building blocks necessary for both continuous authentication and Zero Trust. The Zero Trust framework of “never trust, always verify” requires that organizations should trust no user, packet, interface, or device unless properly verified before being given access to the network or data. This trust could be established passively with risk signals as in continuous authentication—but it should be backed with strong authentication first. 

With that said, it’s important to note that not all forms of MFA are created equal. While any form of MFA is better than no MFA, username and password or mobile-based authentication such as SMS one-time passcode (OTP), push notifications, and authenticator apps, are all vulnerable to phishing, targeted attacks and account takeovers. Each of these authenticators rely on ‘shared secrets’ that can be breached by malware, man-in-the-middle (MiTM) attacks, SIM swapping, and other forms of malicious activity. 

Yubico envisions continuous authentication as a future, more evolved state of a Zero Trust strategy, where an individual is prompted to verify they are who they say they are, with strong authentication that is backed by modern standards such as FIDO2. Users would be prompted to verify identity at more frequent intervals as intelligent systems learn an individual’s patterns; over time, the number of authentication prompts would decrease for routine activities, with step-up authentication still being required for privileged access during moments of irregular or potentially higher-risk activities.

To prepare, at minimum, organizations should establish a baseline of phishing-resistant two-factor (2FA) or MFA with hardware-based authentication such as the YubiKey, which relies on simple touch or biometrics for user verification. Ideally, as organizations transition to user-friendly, passwordless, strong authentication, only then can Zero Trust and continuous authentication frameworks can be built.

There is currently no single solution that can apply continuous authentication to all systems and applications. However, organizations today can take action to improve authentication and apply continuous authentication concepts to mission-critical applications that typically offer access to highly sensitive and confidential data. 

By future-proofing your authentication framework with Zero Trust principles and phishing-resistant authentication protocols such as FIDO U2F and FIDO2, you can lay the groundwork for a more modern and responsive security strategy in the future. 

To learn more about how to accelerate your Zero Trust strategy with strong, phishing-resistant authentication, check out our whitepaper here.

Talk to our teamTalk to our team

Share this article:


  • Breaking down Australia’s plan to combat AI-driven phishing scamsAcross Australia, cybercrime continues to be a major challenge impacting businesses, critical infrastructure and consumers alike. The use of AI by bad actors across the spectrum of cybercrime is on the rise, and as a result, credential phishing scams are becoming increasingly sophisticated. AI is effectively helping to lower the cost of phishing and increase […]Read moreAIAPACAustraliaphishing
  • 5 fast cybersecurity tips to clean up your digital lifeWith today being Identity Management Day, now is the perfect time to take stock of your online presence, update security settings, and ensure that your personal data remains protected from cyber threats like phishing. We’re also seeing increasing concerns of DeepSeek and other AI tools around data privacy making these kinds of attacks more successful […]Read morebest practices
  • Navigating the PCI DSS 4.0 transition and meeting compliance with phishing-resistant YubiKeysIn just a few days, on March 31, 2025, decision makers in industries that involve payment processing – including financial services, retail & hospitality and telecommunications – are tasked to finalize the transition to Payment Card Industry Data Security Standard (PCI DSS) 4.0. This deadline marks a critical juncture for all organizations handling payment card […]Read moreNISTPCI DSSPCI DSS 4.0
  • Building cyber resilience with Yubico and MicrosoftIn today’s digital landscape, cyber threats are evolving at an unprecedented pace: every second, a phishing attack takes place. In fact, over 80% of these attacks are the result of stolen login credentials and almost 70% of phishing attacks relied on AI last year alone. Recent data from Microsoft Entra also reveals a staggering increase […]Read moreMFA mandatesMicrosoft