Continuous Authentication: The future of Identity and Access Management (IAM)

Face it, people share devices and Web applications, so the key is to identify users by their ongoing actions

Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Network World editors.

Usernames and passwords act as a gateway. Insert another authentication step on top of these credentials and this gateway becomes harder to infiltrate. But once access is gained, how can the device or Web application be certain that the authenticated user is, in fact, the same person throughout the entire session?

For example, you may log in and walk away from your device, creating an opportunity for someone else to take over your session and thus, your identity. Or more commonly, you may hand the device to a colleague – a non-authenticated user – trusting they won’t do anything nonsensical or malicious. In fact, according to a survey by B2B International and Kaspersky Lab, 32% of respondents who share an Internet-enabled device with their relatives, colleagues or friends noted that they do not take any precautions in protecting their information. 

The reality is clear: People share devices and web applications with little concern for the potentially detrimental consequences – whether a coworker gains access to proprietary information or an acquaintance accidentally views personal medical records or bank account details. Traditional one-time or two-factor authentication methods are no longer sufficient. Without continually checking you are who you say you are, it’s next to impossible to tell who is actually using the device or web application at any given time.

The future of identity and access management (IAM) must be rooted in continuous authentication.  So, where is the industry in developing these tools? And, what needs to occur for continuous authentication to take hold as a reliable, more secure element of IAM?

Tools in development

A promising form of continuous authentication is centered around unique human behaviors. Known as behavioral biometrics, these tools can monitor things like keystroke patterns – which analyze typing rhythm, mouse movement, iris patterns and more. The technology acts in the background, unbeknownst to the user.

By tracking these actions and building a unique behavior-based profile, the technology can automatically and continually check to see if a device switches hands, or a Web application switches users. For example, when tracking keystroke patterns, the tool can determine how quickly you find the right key and how long you hold down certain keys. If the typing pattern becomes abnormal, the non-authenticated user will get locked out of the device or Web application.

Other techniques being developed include behavioral profiling, which uses Webcams to monitor your face and even the color of clothing, as well as micro-movement and orientation dynamics that take into account how you grasp, hold and tap your smartphone.

Hello enterprise 

For continuous authentication tools to take hold in the enterprise, much more research and development is needed to ensure precision. People don’t have the tolerance or patience for inaccuracies. For example, if you are authorized to access a particular Web application and the device continually restricts access, the frustration mounts. You are you but explaining that to the computer requires IT intervention.

Think of it in these terms: You try to enter a bar with a legitimate ID, but the bouncer believes it’s a fake and won’t let you in. You know you have the right to go in, but there’s little you can do. The bouncer has made up his mind. Obviously not being able to get into work devices and Web applications has more severe consequences, as it hinders productivity and your overall livelihood. It leaves you turning to less-secure devices and Web applications, getting less done or potentially compromising confidential information.

It’s unlikely that employees will ever rid themselves of the bad habit of device and password sharing – a recent survey shows 46% of respondents share logins with multiple users. The onus to recognize these challenges and amp up security falls on you.

While continuous authentication is still in its early stages, businesses are adopting technologies like context-based authentication that define trust by contextual elements such as user role, geolocation, device type, device health and network. When you log into a Web application, contextual factors are analyzed and access is granted or denied.

Beyond authentication lies authorization – what you can and can’t do within the application. If you are already logged into a Web application and move from the trusted corporate network to an unknown wireless network, context-based authorization can dynamically re-shape the features, functions and data that you are able to access.

What’s clear is continuous authentication needs to evolve into a more accurate and proven method before enterprise adoption is seen. But once this step is taken, the security and convenience it provides will be an ideal fit for today’s increasingly mobile workforce. 

Walters is SVP of security products at Intermedia.

Join the CSO newsletter!

Error: Please check your email address.

More about IntermediaKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Richard Walters, SVP of security products, Intermedia

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts