User authentication is usually discussed in the context of the person’s initial interactions with the system—a safeguard often implemented by a classic login screen. However, one-time validation of the user’s identity is becoming insufficient for modern devices and applications that process sensitive data. Such situations might benefit from a seamless authentication approach that incorporates continuous verification of the user’s identity. However, for this to be usable in real-world scenarios, the authentication has to be seamless to the user.
Initial attempts at continuous user authentication can be seen in security policies that lock the user’s workstation after a period of inactivity or settings demanding that mobile phone users enter their PIN every few minutes. These traditional security measures annoy people, because they get on the way of normal computer or device interactions, and leave much room for innovation.
Post-Login Validation via Anomaly Detection
One option to improve security without interfering with the user’s experience is to look for potentially-malicious anomalies after the user’s initial successful authentication.
Continuous user authentication could occur transparently by spotting anomalies in which the user interacts with the system. Such methods could avoid interrupting the user unless the system begins to doubt the person’s identity. For instance, the user’s web application activities could be continuously scrutinized for deviations from normal workflow and UI interaction patterns such as mouse movements.
Similarly, a mobile phone could regularly examine the user’s bio-signs to spot an impostor. More on this below in the context of Apple’s Face ID technology.
Beyond Anomalies: Ongoing Validation
The notion of continuous and seamless authentication isn’t new; however, some of these principles are only now starting to enter mainstream computing in a meaningful way. Here are a few examples of what might be feasible:
- Continuous Authentication using Biometric Keystroke Dynamics and Keystroke Dynamics Based Human Authentication System using Genetic Algorithm discussed challenges and solutions for continuous authentication techniques based on the user’s typing activity.
- Physical Access Protection using Continuous Authentication discussed prototype systems that continuously and seamlessly authenticated PC users through “video from a camera, and fingerprint images from a mouse equipped with a fingerprint scanner.”
- Continuous Mobile Authentication Using Touchscreen Gestures proposed an approach that tracked the user’s “unique touch features, such as finger pressure and trajectory, the speed and acceleration of movement” as the person interacted with the mobile device.
- Continuous Identity Authentication Using Multi-modal Physiological Sensors proposed multiple physiological sensors that could be used for this purpose, including eye position, pupil size, skin conductivity, blink rate, etc.
Unobtrusive Authentication Makes Ongoing Validation Possible
Apple’s release of Face ID, starting with the incorporation of this technology into iPhone X, is a powerful example of the role that unobtrusive authentication can play in securing users’ interactions with their devices without interfering with routine activities. Face ID automatically authenticates the user when the person glances at the device.
This capability has deeper implications than the mere replacement of fingerprint-based authentication method with one based on facial recognition. Consider the following observation that Nicole Nguyen as part of her iPhone X review:
“For a normal human who isn’t aware of the 30,000 invisible dots being projected on their face or the 3D map of their head encrypted somewhere deep inside their phone, there’s nothing ‘futuristic’ about these interactions. Using Face ID is what life without a passcode—life before we all became paranoid technofreaks—felt like.”
Assuming Face ID works as advertised, it offers the security benefit of continuous verification of the user’s identity without interrupting the person’s experience of using the device. The phone can automatically lock itself when it detects that the user isn’t paying attention; it can selectively display information of different sensitivity depending on whether the user is glancing at the screen, and it can periodically confirm that the authorized user is present without inconvenient disruptions. In this case, security doesn’t get on the way unless it absolutely needs to. As John Gruber pointed out, “the best way to use Face ID is to pretend it isn’t even there.”
Users of modern applications, systems and devices value strong security measures to safeguard sensitive data, but only if they don’t get in the way of normal activities. Continuous user authentication can help fulfill such seemingly unattainable demands by passively tracking relevant sensors and metrics, getting on the way only when an anomaly arises or when the user fails to seamlessly authenticate.