Beyond Logins: Continuous and Seamless User Authentication

image

User authentication is usually discussed in the context of the person’s initial interactions with the system—a safeguard often implemented by a classic login screen. However, one-time validation of the user’s identity is becoming insufficient for modern devices and applications that process sensitive data. Such situations might benefit from a seamless authentication approach that incorporates continuous verification of the user’s identity.

Initial attempts at continuous user authentication can be seen in security policies that lock the user’s workstation after a period of inactivity or settings demanding that mobile phone users enter their PIN every few minutes. These traditional security measures annoy people and leave much room for innovation.

Continuous user authentication could occur transparently by spotting anomalies in which the user interacts with the system. Such methods could avoid interrupting the user unless the system begins to doubt the person’s identity. For instance, the user’s web application activities could be continuously scrutinized for deviations from normal workflow and UI interaction patterns. Similarly, a mobile phone could regularly examine the user’s bio-signs to spot an impostor.

The notion of continuous and seamless authentication isn’t new; however, it has yet to enter mainstream computing in a meaningful way. Here are a few examples of what might be feasible:

Users of modern web applications and mobile devices demand strong security measures that don’t get in the way of normal activities. Continuous user authentication could help fulfill such seemingly unattainable demands by passively tracking relevant sensors and metrics, getting on the way only after observing an anomaly that exceeded a reasonable threshold.

Related articles you might like:

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more