What is continuous user authentication? The best defense against fraud

Authenticating all user actions and attributes throughout a session ultimately provides the best defense against fraud and account abuse.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

The first time I heard the phase “continuous user authentication” was just two weeks ago, from a rousing keynote address Jim Routh, CSO for Aetna, gave in San Diego for CISO Connect, an invitation-only community for CISOs and other top security executives. Routh explained that today most authentication is binary at the logon. Users are prompted to give their authentication proofs, and if successful, can now do anything on the system that they have been privileged ahead of time to accomplish.

Routh sees a day in the near future where benign behavioral attributes are consistently evaluated and compared to an established pattern. Deviation from the established pattern may trigger a step-up authentication for higher risk application functions. Everything the logged on user does is constantly re-evaluated, and if they do something leading to an elevated risk scenario, they might be re-authenticated, asked for additional proof of identity, or possibly denied. It’s a fantastic idea that blew my mind!

Binary authentication allows you to do nothing (not authenticated) or everything previously allowed (after a successful authentication). The biggest negative of this type of authentication is that if bad guys gets your credentials, they can do anything including deleting your account. If they create a new fake account on a legitimate system, they can use it as a base for all sorts of badness.

But with continuous user authentication, benign behavioral attributes are consistently evaluated and compared to an established pattern. Deviation from the established pattern may trigger a step-up authentication for higher risk application functions. It’s a fantastic idea that makes evaluating user behavior only at the logon sounds so horse-and-buggy. How did we ever survive with that archaic security model? 

Adaptive authentication was the first step

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.