What is continuous user authentication? The best defense against fraud

The first time I heard the phase “continuous user authentication” was just two weeks ago, from a rousing keynote address Jim Routh, CSO for Aetna, gave in San Diego for CISO Connect, an invitation-only community for CISOs and other top security executives. Routh explained that today most authentication is binary at the logon. Users are prompted to give their authentication proofs, and if successful, can now do anything on the system that they have been privileged ahead of time to accomplish.

Routh sees a day in the near future where benign behavioral attributes are consistently evaluated and compared to an established pattern. Deviation from the established pattern may trigger a step-up authentication for higher risk application functions. Everything the logged on user does is constantly re-evaluated, and if they do something leading to an elevated risk scenario, they might be re-authenticated, asked for additional proof of identity, or possibly denied. It’s a fantastic idea that blew my mind!

Binary authentication allows you to do nothing (not authenticated) or everything previously allowed (after a successful authentication). The biggest negative of this type of authentication is that if bad guys gets your credentials, they can do anything including deleting your account. If they create a new fake account on a legitimate system, they can use it as a base for all sorts of badness.

But with continuous user authentication, benign behavioral attributes are consistently evaluated and compared to an established pattern. Deviation from the established pattern may trigger a step-up authentication for higher risk application functions. It’s a fantastic idea that makes evaluating user behavior only at the logon sounds so horse-and-buggy. How did we ever survive with that archaic security model? 

Adaptive authentication was the first step

I’ve been in love with adaptive authentication since I learned about it many years ago while working at Microsoft. I was sitting in a meeting where the Hotmail email security managers were talking about how they were beta testing a new feature that looked at many different user “attributes” to evaluate whether or not the user’s logon was legitimate or suspicious. They planned to look at where the user usually logged on from, what browser and OS attributes they usually logged on from, what hours of the day, and so on.

By the time I wrote about adaptative authentication a few months later, Microsoft’s adaptive authentication team had come up with over a hundred user attributes to evaluate at user logon. The new logon attributes even included how long it took the user to type in their ID and password. It was pretty cool for the time.

Google and other large email providers were doing the same thing. Because none of them were going to tell me what they did to evaluate a user’s logon for legitimacy, I tested what different web service providers did as part of their adaptive logon evaluations. I was interested in what attributes were tracked and for how long.

As a world traveler, I loved logging into Gmail’s console to see it flash me a warning about where I had last logged in from and have it prompt me to verify that my current logon attempt was legitimate. At first, they sent me email messages to my secondary account. That morphed into instant SMS messages where I was given a code that I had to type in in addition to my normal logon credentials. Today, many websites have adaptive authentication logons, and at least a few methods you can select among so that they can verify the legitimacy of your current logon attempt.

On some systems I found that if I used the same computer at the same hotel, even if over a year later, I wasn’t prompted for additional authentication proof. Others would not prompt me for additional logon authentication even if I used different computers at the same hotel. Some remembered my device choices for years and others seemed to forget my new device registrations after a few months. I would spend hours changing browsers’ user agent strings to see what did and didn’t set off the adaptive authentication requirements for different services.

We already have continuous user authentication

As great as adaptive authentication is, most of it is still a binary decision at logon time. You might have to get through a few different authentication factors to log on, but once you’re in, you can do anything you were previously privileged to do. It’s good, but not great.

Continuous user authentication is another huge step forward. To me, it’s like Neil Armstrong’s first step on the moon. With continuous user authentication, what the user does while already logged on is part of the authentication equation. If the system sees you acting in ways that differ from your previous authenticated experiences, it creates a red flag and increases or decreases a value score that determines if you are legitimate or if what you’re doing is highly risky (to the service or your account). If that score is high enough, then your current authenticated session can be suspended or submitted for additional scrutiny, or you can be prompted to provide the same or additional authentication factors.

This isn’t a new concept. The credit card industry has been trying to perfect continuous user authentication for decades. You’re probably only aware of it happening when a purchase you’re trying to make is blocked because the credit card (or debit card) vendor has suspended your transaction. In the old days, you would call the card vendor, verify your identity, and they would approve the transaction. Today, you will usually get an SMS message from the vendor asking you to verify the current financial transaction.

It’s not perfect. My wife was blocked buying something in the same Walmart where I bought something a minute earlier (perhaps that was the suspicious attribute that triggered the warning). By the time the credit card company sent me the SMS message to confirm the transaction, a minute or so had gone by and my wife had already provided another payment method. Of course, it awkwardly delayed her transaction and she was slightly embarrassed by the false-positive denial, with people in line behind her. Still, even if not perfect, I’m glad my credit card company is looking out for my account.

All credit card vendors are working hard to minimize false-positives because they know that every false-positive is causing customer inconvenience and negative sentiments. If too many false-positives happen, the customer will choose another vendor. That’s something no vendor wants.

What’s changed is that continuous user authentication is moving more and more to the digital world. It’s moving from the physical world into purely online, digital actions. The attributes and trait implications are far more interesting than simply in what stores and locations you are using your credit card.

Over the last few years, a flurry of different continuous authentication methods have been suggested, tested, and refined. They include, for example, device positioning (how you normally hold your mobile device), finger pressure, touch screen gestures, or expanded biometric observation.

Seamless user authentication

Continuous user authentication also leads to the concept of seamless user authentication, where the user doesn’t have the traditional binary authentication logon interruption at all. The user starts the app and is seamless authenticated using an authentication method they are not even aware of, say facial recognition, device ownership or typing characteristics. Then, and only if they are either performing something of high value or unusual for past transactions, will they be prompted for additional authentication.

It’s already happening in limited ways on some platforms or apps, such as when your cell phone or computer automatically recognizes you and logs you in when you stare at it. The work on continuous user authentication and seamless user authentication are rapidly progressing. Ideas and tests are multiplying at an exponential rate. A lot of the solutions involve cameras and biometric attributes. One of my favorite research proposals is a method that continually measures your fingerprints while you are using a mouse.

The implications are very, very cool.

It’s an exciting time to be in the computer security world as far as authentication is concerned. Authentication is getting more and more secure every day. Users are getting more authentication options, including more two-factor authentication choices. After years of false hope, open source authentication standards such as FIDO are being developed and deployed. Authentication protections are increasing around the systems being used to verify authentication, and adaptive authentication seems to be showing up everywhere, and it’s smarter than ever.

As vendors work to take more accurate attribute measurements of us, the traditional concept of authentication will just fade away into obscurity. The future of authentication is that you will be authenticated without you even knowing about it. No interruptions; just be yourself. The idea that we had to be prompted for an ID and authentication proof before we could log into our app or take advantage of a service will seem quaint and primitive. It is likely that our grandkids will not know what the term “password” means.