While one-time credential checking like passwords, PINs, and MFA remain essential aspects of identity and access management, advances in continuous authentication take a much-needed leap forward in our ability to assure only approved users have access to sensitive networks and data.
Highly assured user validation is especially critical in these challenging times where the majority of organizations are now requiring employees to work remotely. Continuous authentication provides ongoing validations of a users’ identity and added controls over what information can be accessed. It also monitors biometric queues and actions for anything that might be considered anomalous behavior.
That said, there’s more to continuous authentication than the name implies. While the continuous aspect of the approach is perfect, functionally it goes far beyond mere authentication – a term that can lead IT security leaders to assume the technology might be less comprehensive than it actually is. There are three distinct benefits of continuous authentication:
Phase One: Are the credentials provided valid?
At this phase, continuous authentication does nothing more and nothing less than traditional password/PIN/MFA in verifying that the credentials provided match those stored in the system.
But having entered valid credentials is far short of actually verifying that the user is who the credentials represent them to be, and that they should be given access to the system – that’s where traditional methods of authentication fail to protect against the issue of stolen passwords, PINs, access cards and even some forms of multifactor authentication.
Phase Two: Are the user’s behaviors consistent with those of the legitimate user?
Now that we have tentatively accepted a user’s credentials, we'll let them in, but their every action is being closely scrutinized and compared to the actions of prior sessions of that user.
Continuous authentication examines how they interact with the keyboard and mouse, the angle they hold the device, the time of day, the IP address, the nature of the files they are trying to access, etc., constantly reauthenticating without the user even knowing it so that an approved user can just focus doing their job. As an added measure of security, this trust degrades over time until reauthentication occurs, especially on unmanaged devices.
This Zero Trust approach goes way beyond one-time credential-checking, and if continuous authentication stopped here, the term would be sufficient to describe the controls provided.
Phase Three: Even if they are a legitimate user, are their actions consistent with their job description?
This is where things get really interesting. Legacy authentication systems pretty much stop trying once the credentials seem to match. At this point, there are three possibilities: A) this is the legitimate user doing legitimate things; B) this is an unauthorized user with valid credentials; or, C) this is the legitimate user but they appear to be doing illegitimate things or manipulating the system in an attempt to extend privileges.
Phase Two delivers a far better authentication mechanism - orders of magnitude are better than password and MFA alone, but it's Phase Three that makes continuous authentication a full-fledged security approach, one that goes lightyears beyond one-time authentication. This benefit becomes even more important where organizations are managing a dispersed remote workforce using both managed and personal devices while working from home.
The Enterprise Advantage with Continuous Authentication
Done properly, continuous authentication's enterprise advantages don't end when the current session completes. The file records of a thief's attack attempt—noting every single action taken and the precise way it was taken, such as typing speed and force— can play a critical role in defense. Those captured details can provide a virtual fingerprint of the attacker, one that goes far beyond computer ID and an OS's version number.
Why are the details from continuous authentication so much better than details about the machine used in the attack? The typical, well-financed professional cyberthief - the kind that will attack larger enterprises - can easily switch machines and upgrade or downgrade software to thwart device-recognition efforts. Individual biometric characteristics based on a model of a known user cannot be spoofed.
There is also the potential to share continuous authentication details of an attack attempt - both for those that were successful and those that weren't - with partners and even counterparts, typically via an ISAC. This will facilitate attackers being detected and stopped much faster and, in theory, make it harder for some to be successful at all when attacking larger enterprises.
There is also the not-so-far-fetched notion of pairing continuous authentication with other artificial intelligence (AI) and machine learning (ML) capabilities. This would theoretically allow for an unsupervised ML system to figure out which of the many details of an interaction are worth saving, which could go quite far in making this data retention more cost-effective.
A session, for example, that appears to be legitimate end-to-end—which, hopefully, represents the vast majority of an enterprise's user sessions—could save just enough to keep that user's behavior record current. For example, employee 1234 might never download more than 500-MB during a session and is suddenly detected downloading a dozen terabytes - that would merit a flag to a SOC. But if the response is that this employee’s duties have changed and they are now examining records looking for GDPR violations, that employee's profile would be automatically updated to avoid flagging the behavior in the future.
For an enterprise with billions of interactions a quarter, ML might be a critical factor in determining appropriate retention issues. And, yes, GDPR and other privacy compliance issues should also factor into what is retained and for how long. Continuous authentication is indeed a powerful advancement and foundational to a Zero Trust security architecture.
