Continuous Authentication: Definition & Benefits
Authentication is undoubtedly one of the keystones of fraud prevention today. By ensuring that users are who they say they are before granting them access to sensitive data and permissions, fraud detection professionals can keep such access from falling into the wrong hands.
Much of today’s user authentication happens as a one-and-done deal: users enter a password, code, or biometric input to gain access, and then they maintain that same level of access until the session expires. While this type of authentication seems more convenient to the average user, it isn’t the most secure solution available. Instead, an approach known as continuous authentication can help keep account holders safe even after they first prove their identities.
What is continuous authentication?
Continuous authentication is more or less what it sounds like: authentication that happens continuously during a user session on an app or web platform. When authentication is non-continuous, a user who wanders away from their device after logging in to their account leaves their information vulnerable to anyone who happens to walk past. Some platforms using non-continuous authentication may simply end a user’s session after a period of inactivity or a predetermined amount of time, but this solution isn’t the most UX-minded.
No one wants to log in and out of their accounts multiple times over the course of a single workday, and yet one-time authentication can be like leaving a door wide open to fraudsters. So, how do fraud detection professionals go about balancing security and UX?
Continuous user authentication works by continually assigning users a score based on the technology’s certainty that the authorized user is the one accessing the account. This risk score can affect which actions the user is allowed to take–for instance, a user with a low authentication score may be prompted to enter more information, such as a biometric source or password, in order to make transactions or access sensitive data. Something as simple and low-risk as accessing the account’s homepage might require a much lower score.
Using continuous risk-based authentication, it isn’t necessary to log users out of their session to re-authenticate with a password, making for a more streamlined user experience. Administrators can also toggle the acceptable risk level for different types of access and actions, meaning the user experiences much less friction but also much higher security than with a single authentication or a non-continuous authentication.
What kind of threats can continuous authentication protect against?
In a perfect world, users could authenticate themselves once and go about their business with no threat of anyone fraudulently accessing their account. Unfortunately, this isn’t the case in the real world.
A remote employee working from a coffee shop or co-working office may log into their work accounts before leaving their computer for food or a break. In this instance, an opportunistic fraudster could gain unauthorized access to their accounts and expose sensitive business information or else make fraudulent transactions.
In another example, a teller or nurse who believes they work in a controlled environment may leave their devices logged in for ease of access. However, bad actors can be anywhere, and even a moment of inattention can expose visitors’ financial or health information.
Any security system is only as strong as its weakest link–in the case of user accounts, that weak point is usually the end user themselves. That’s why it’s up to fraud detection professionals to implement security tools like continuous authentication solutions that can continue keeping users safe even when they wander from their machines.
- Continuous authentication is a more secure, more frictionless solution than one-time authentication
- One-time authentication can leaver user accounts vulnerable if the user leaves their device logged in and unattended
- Some common continuous authentication methods include location behavior, biometrics, and behavioral analytics
Methods for continuous authentication
There are a few different methods for assigning the authentication score used in continuous authentication.
Biometric authenticators are a popular choice for continuous authentication because the user carries these things–face, voice, and fingerprints–around with them. A device may continuously check to ensure a user’s face is still in front of the machine or listen to their voice to assess the likelihood that the correct user is still the one accessing the account.
However, this method is best used in conjunction with another method, as it can introduce friction if users wear face masks or take their work to a noisier location.
End users are typically creatures of habit. Over time, behavioral analytics can keep track of things like typing speed, how quickly a user moves the mouse, and what types of action the user typically takes on the app to build a model of user behavioral patterns. Deviations from this pre-established model can decrease the confidence score used to verify user identity.
The most important factor to consider with this method is that building the behavioral model takes time, meaning this method may not be effective immediately after implementation.
Location intelligence can anonymously identify the user’s trusted locations and analyze the user’s location behavior to create a unique location identity for authentication purposes. This technology can be combined with trusted device intelligence to create a spoofing-resistant authentication solution, meaning a fraudster can’t simply fake their location in order to access the account. Transactions made from trusted locations on trusted devices return a low risk score, while unfamiliar locations and devices return a higher risk score.
Location identity is especially effective as a continuous authentication method because it requires no action from the user beyond allowing location permissions.
Continuous authentication benefits
The major advantage of continuous authentication is two-fold: it enhances security without compromising the user experience.
By using passive authentication techniques to calculate the authentication score of a given user, much of the friction of non-continuous authentication is eliminated. Active authentication is only necessary when a user falls below a certain acceptable risk threshold or attempts to access more restricted information and actions.
By splitting up permissions in this way, continuous authentication also promotes good information security. For instance, a bank employee may be permitted to enter the bank where he works, but that doesn’t necessarily mean he has permission to walk into the vault. Continuous authentication represents an effective way to set these sorts of boundaries in the digital space without requiring users to remember multiple passwords.
Constant log-outs and one-time authentications can create a strain on the user and encourage poor cybersecurity habits such as leaving one’s account logged in at all times. Using continuous user authentication, administrators can keep user accounts and information safe without introducing new friction into the user’s experience.