Continuous authentication is an emerging concept—a future ‘nirvana’ state of security that would provide the capability to validate a user’s identity in real-time as they maneuver between systems, applications, and devices. In theory, continuous authentication solutions would use risk signals from a variety of monitoring sources to authenticate users, identify potential threats and proactively remediate the capabilities of any credentials flagged as compromised. However, continuous user authentication remains only a concept today, and not yet an established standard.
Traditional authentication methods currently used across the industry are static, requiring a user to actively participate in providing authentication factors (e.g. password or PIN, one-time passcode, biometrics) only at the start of the authentication workflow. Conceptually, continuous authentication replaces or augments that active participation with machine-learning backed intelligent risk monitoring sources, including geolocation, changes in biometrics and even behavioral monitoring such as keystroke or mouse patterns, context, and/or other activity patterns.
The drive for continuous authentication
The impetus behind continuous authentication is clear: cyberattacks continue to rise in number and sophistication, and user credentials are at the root of 61% of data breaches. Attempts to increase security with legacy second factors, such as SMS-based OTP, have only led to user frustration and insecure workarounds with 43% of organizations citing user experience as the top obstacle to using multi-factor authentication (MFA). The shift to hybrid and remote work has only intensified the weaknesses in how identity and access management are being managed today.
Identity access management (IAM) and privileged access management (PAM) solutions have attempted to streamline access control to enterprise applications, often with single sign-on (SSO), assigning individual tokens for each application the user has access to. While some IAM and PAM solutions may apply risk analytics to prompt for step-up authentication, this does not capture the true essence of continuous authentication. Further, the aforementioned solutions are often limited by their own walls, unable to monitor, connect to, or interact with applications that have not been specifically configured – diminishing the overall capacity to manage identity and access with any higher level of automated sophistication or intelligence capable of detecting a threat or anomaly.
The concept of continuous authentication has been around for quite some time, with researchers as far back as 2004 studying various methods of measuring temperature, eye movement, and click pressure able to provide a continuous authentication of identity above 80% accuracy. Today, there exist some point solutions that apply intelligence to contextual or behavioral data that can be combined with processes and authentication frameworks to dynamically apply access controls. However, for any approach to managing identity or access, if the underlying trust model still includes legacy authentication methods such as username and passwords and even mobile-based authenticators, the identity baseline—the proof that you are who you say you are—is inherently flawed.
The reality is that there are critical steps that need to be taken before we are able to achieve the idea of continuous authentication.
The building blocks for continuous authentication
Modern, strong authentication is one of the building blocks necessary for both continuous authentication and Zero Trust. The Zero Trust framework of “never trust, always verify” requires that organizations should trust no user, packet, interface, or device unless properly verified before being given access to the network or data. This trust could be established passively with risk signals as in continuous authentication—but it should be backed with strong authentication first.
With that said, it’s important to note that not all forms of MFA are created equal. While any form of MFA is better than no MFA, username and password or mobile-based authentication such as SMS one-time passcode (OTP), push notifications, and authenticator apps, are all vulnerable to phishing, targeted attacks and account takeovers. Each of these authenticators rely on ‘shared secrets’ that can be breached by malware, man-in-the-middle (MiTM) attacks, SIM swapping, and other forms of malicious activity.
Yubico envisions continuous authentication as a future, more evolved state of a Zero Trust strategy, where an individual is prompted to verify they are who they say they are, with strong authentication that is backed by modern standards such as FIDO2. Users would be prompted to verify identity at more frequent intervals as intelligent systems learn an individual’s patterns; over time, the number of authentication prompts would decrease for routine activities, with step-up authentication still being required for privileged access during moments of irregular or potentially higher-risk activities.
To prepare, at minimum, organizations should establish a baseline of phishing-resistant two-factor (2FA) or MFA with hardware-based authentication such as the YubiKey, which relies on simple touch or biometrics for user verification. Ideally, as organizations transition to user-friendly, passwordless, strong authentication, only then can Zero Trust and continuous authentication frameworks can be built.
There is currently no single solution that can apply continuous authentication to all systems and applications. However, organizations today can take action to improve authentication and apply continuous authentication concepts to mission-critical applications that typically offer access to highly sensitive and confidential data.
By future-proofing your authentication framework with Zero Trust principles and phishing-resistant authentication protocols such as FIDO U2F and FIDO2, you can lay the groundwork for a more modern and responsive security strategy in the future.
—
To learn more about how to accelerate your Zero Trust strategy with strong, phishing-resistant authentication, check out our whitepaper here.