Beyond Logins: Continuous and Seamless User Authentication

image

User authentication is usually discussed in the context of the person’s initial interactions with the system—a safeguard often implemented by a classic login screen. However, one-time validation of the user’s identity is becoming insufficient for modern devices and applications that process sensitive data. Such situations might benefit from a seamless authentication approach that incorporates continuous verification of the user’s identity. However, for this to be usable in real-world scenarios, the authentication has to be seamless to the user.

Initial attempts at continuous user authentication can be seen in security policies that lock the user’s workstation after a period of inactivity or settings demanding that mobile phone users enter their PIN every few minutes. These traditional security measures annoy people, because they get on the way of normal computer or device interactions, and leave much room for innovation.

Post-Login Validation via Anomaly Detection

One option to improve security without interfering with the user’s experience is to look for potentially-malicious anomalies after the user’s initial successful authentication.

Continuous user authentication could occur transparently by spotting anomalies in which the user interacts with the system. Such methods could avoid interrupting the user unless the system begins to doubt the person’s identity. For instance, the user’s web application activities could be continuously scrutinized for deviations from normal workflow and UI interaction patterns such as mouse movements.

Similarly, a mobile phone could regularly examine the user’s bio-signs to spot an impostor. More on this below in the context of Apple’s Face ID technology.

Beyond Anomalies: Ongoing Validation

The notion of continuous and seamless authentication isn’t new; however, some of these principles are only now starting to enter mainstream computing in a meaningful way. Here are a few examples of what might be feasible:

Unobtrusive Authentication Makes Ongoing Validation Possible

Apple’s release of Face ID, starting with the incorporation of this technology into iPhone X, is a powerful example of the role that unobtrusive authentication can play in securing users’ interactions with their devices without interfering with routine activities. Face ID automatically authenticates the user when the person glances at the device.

This capability has deeper implications than the mere replacement of fingerprint-based authentication method with one based on facial recognition. Consider the following observation that Nicole Nguyen as part of her iPhone X review:

“For a normal human who isn’t aware of the 30,000 invisible dots being projected on their face or the 3D map of their head encrypted somewhere deep inside their phone, there’s nothing ‘futuristic’ about these interactions. Using Face ID is what life without a passcode—life before we all became paranoid technofreaks—felt like.”

Assuming Face ID works as advertised, it offers the security benefit of continuous verification of the user’s identity without interrupting the person’s experience of using the device. The phone can automatically lock itself when it detects that the user isn’t paying attention; it can selectively display information of different sensitivity depending on whether the user is glancing at the screen, and it can periodically confirm that the authorized user is present without inconvenient disruptions. In this case, security doesn’t get on the way unless it absolutely needs to. As John Gruber pointed out, “the best way to use Face ID is to pretend it isn’t even there.”

Users of modern applications, systems and devices value strong security measures to safeguard sensitive data, but only if they don’t get in the way of normal activities. Continuous user authentication can help fulfill such seemingly unattainable demands by passively tracking relevant sensors and metrics, getting on the way only when an anomaly arises or when the user fails to seamlessly authenticate.

Updated

About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more