Continuous and Seamless User Authentication with Biometrics

User authentication is usually discussed in the context of the person's initial interactions with the system—a safeguard implemented by the classic login screen. However, one-time verification is becoming insufficient for modern devices and applications that process sensitive data. Such situations benefit from seamless authentication that incorporates continuous validation of the user's identity. Such measures are no longer a theoretical possibility, thanks to biometrics.

Traditional attempts at authenticating the user beyond the initial login are awkward at best. They might involve prompting for a password or PIN after inactivity or some time intervals. For instance, WhatsApp periodically asks for a PIN if the user enabled two-factor authentication, supposedly to "help you remember your PIN." Such intrusive measures get on the way of normal interactions. They leave much room for innovation, which is starting to appear in today's products.

Behavioral and Physiological Biometrics

It's possible to implement continuous authentication by spotting anomalies in the way the user interacts with the system. Such methods could avoid interrupting the user unless the system doubts the person's identity based on his or her behavior. For example, the user's web application activities could be continuously scrutinized for deviations from normal workflow and UI interaction patterns.

Similarly, a system equipped with the necessary sensors could monitor the user's bio-signs, such as facial expressions or movement patterns, to spot an impostor based on unexpected changes in physiological characteristics.

Ideas from Research

The notion of continuous and seamless authentication based on behavioral and physiological biometrics isn't new. Here are a few ideas documented by the research community:

Modern hardware and software developments have taken us beyond theoretical possibilities for authentication based on user interactions and bio signs. Consider the following products that can act as a starting point for continuous and seamless  user authentication.

Face-Based Authentication

Apple's release of Face ID for iPhone is an example of the role that unobtrusive authentication can play in securing users' interactions with their devices with minimal friction. Face ID authenticates the user when the person glances at the device. Some Android phones have similar abilities as part of their Smart Lock feature set; Google calls this capability Trusted Face. When equipped with compatible hardware, Microsoft Windows can accomplish this as well using the Windows Hello face authentication feature.

Face-based authentication can act as the basis for continuous verification of the person's identity without interrupting the legitimate user's experience. Armed with the appropriate API access, developers could use such capabilities to lock out the user from the device or application when the expected face disappears. In such scenarios, security won't get on the way unless absolutely necessary.

Physical Movement for Authentication

Another example of a productized approach to using the person's physiology for authentication is Motiv Ring's WalkID. This smart ring can use its accelerometer to sense the walking pattern of the person wearing the device. According to the company, this feature "allows you to use your gait as a way to verify that you are who you say you are when accessing your accounts online."

It's easy to imagine implementing similar capabilities using the sensors built into today's mobile phones, for instance by observing how the person walks while carrying the phone or the manner in which the user holds the device. Like with face-based authentication, when granted access to the necessary sensors, applications could lock out the user when detecting anomalous gait or hand movements.

Voice Authentication

Voice offers another opportunity to use biometrics as a form of authentication, both for initial validation and for ongoing verification of identity. This method is already in use by quite a few banks for authenticating callers at the onset of the conversation. It's not hard to imagine how this approach can provide continuous authentication for ongoing phone discussions.

For example, ABN AMRO rolled out "voice verification for its 4 million telephone banking customers," validating callers' identities using many characteristics, including "pitch, frequency, soft and hard palate, jaw structure." Barclays explains that its voice authentication works by comparing the reference conversations on file to the caller's "subtly unique characteristics such as vocal tract length and shape, pitch and speaking rate."

Companies that voice-based authentication products include Nuance, HYPR, NICE, and others. (Listed in no particular order, since I lack direct experience with these firms.)

Authenticating users based on voice is becoming viable even outside the realm of enterprise applications. Amazon's Alexa can recognize voices to create personalized experiences based on users' individual "voice profiles." Similarly, Google Home can distinguish between the voices of its users. Though these capabilities are not yet sufficient for reliable authentication, they are a sign the features that will soon be possible even for routine, day-to-day interactions.

User Behavior Authentication

Another approach to continually and seamlessly authenticating users involves tracking their behavior with the website or application, noting anomalies that indicate a likely impostor. The system could note deviations from the way in which the person typically types, taps or uses the mouse.

For example, Royal Bank of Scotland uses this method by tracking "2,000 different interactive gestures. On phones, it measures the angle at which people hold their devices, the fingers they use to swipe and tap, the pressure they apply and how quickly they scroll. On a computer, the software records the rhythm of their keystrokes and the way they wiggle their mouse."

Companies whose products offer this continuous authentication method include BioCatch, Twosense, BehavioSec, and others. (Listed in no particular order, since I lack direct experience with these firms.)

The Future is Now

Users of modern applications, systems and devices value strong security measures to safeguard sensitive data, but only if they don't get in the way of normal activities. Continuous user authentication helps fulfill such seemingly unattainable demands by passively tracking relevant sensors and metrics, getting on the way only when an anomaly arises. Such security approaches are already employed by some organizations. They will become increasingly common in the near future.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more