User account authentication seems stuck with 18th-century pin-tumbler locks in an era of heat-sensitive, motion-detecting vaults with man traps and biometric sensors. As I recently discussed, two-factor authentication (2FA) techniques have become more convenient and widely used and, with the exception of codes sent via SMS, are capable of thwarting the vast majority of identity thieves.
However, as their use expands, the whack-a-mole experts in the cybercrime community are devising devious ways of working around many 2FA implementations, such as session hijacking via a proxy, SIM swapping (as mentioned in my previous column) or password reset processes that bypass 2FA.
There are dozens of alternatives to password-based authentication, however as Microsoft researchers noted three years ago, most have problems or limitations. As the authors highlight, it’s difficult to get an objective evaluation of the various techniques due to “the diverse interests of various communities” in which security experts focus on theoretical impenetrability, usability testers on convenience and inventors and product developers are incapable of objectivity.
As with network security, an ideal, or at least vastly improved user authentication system must incorporate multiple techniques in a layered approach that augments the initial login, using some form of two-factor authentication (2FA), with subsequent monitoring and policy enforcement.
The term of art, or less charitably, the buzzword for such a system is continuous authentication, and after several years of simmering discussions and robust product development by security experts, the concept has emerged as part of a new category of post-authentication security products. These combine continual monitoring of user activity with advanced biometrics, machine learning, and crowd-sourced data to produce a security system that vastly improves upon traditional login techniques.
AI-infused continuous security
Continuous authentication was popularized several years ago by Gartner, which, as it is prone to do, tagged it with a clever acronym, CARTA, continuous adaptive risk, and trust assessment. While continual monitoring is nothing new to network security experts, the adaptive piece is critical to making the concept work for user authentication, and machine learning is the key to building an effective adaptive system.
Biometrics provide the tool for ensuring that the system is convenient for users that might face additional authentication requests after the initial login, since any cumbersome security system that adds undue friction will cause user rebellion and resistance as they seek to bypass it.
Gartner correctly observes that using machine learning to analyze user behaviors and application activity is required to make a continuous authentication system work. Indeed, it claims that by 2022, AI-enabled systems will displace traditional passwords in 90 percent of all digital authentications, writing last year, (emphasis added),
Users need more convenient and accurate options for unlocking their devices. Security technologies that combine machine learning, biometrics and user behavior will become necessary to improve ease of use, self-service and frictionless authentications. Within the next five years new security technology will recognize the user, prevent fraud and detect automation threats such as malware, remote access trojans and malicious bots.
One pillar of the CARTA strategy is the replacement of one-time security “gates” with “context-aware, adaptive and programmable security platforms. It’s’ a change that Dawud Gordon, the CEO and co-founder of TwoSense observes requires some form of continuous authentication system “rather than one big identity check followed by a session with a fixed expiration.” Citing his PhD research on the topic, Gordon concludes, “that the vast majority of system context that relates to the user and their identity is synonymous with user behavior.” He notes that in developing a continuous authentication product at TwoSense (emphasis added),
The main issue we have identified, is that no form of traditional authentication can be used continuously without some form of continuous user work. For authentication to be continuous, it must be effortless, and if it’s effortless it must be using what the user is doing anyway, and therefore be behavior-based.
Inputs for CARTA, including “Behavioral Signatures” and “Historical Behaviors"
Source: Originally from Garter as cited by Gordon in “Gartner Pushes Focus on Continuous Authentication for 2019.”
As I detail below, one company developing continuous authentication software is Acceptto and one of its early investors and adopters is Aetna, which has decided that 2FA isn’t enough to combat new threats such as session hijacking, spear phishing and 2FA code spoofing. According to Aetna’s CSO, Jim Routh (emphasis added),
We’re moving into a realm of continuous, behavioral-based authentication, where we know enough about the end user, their use of technology, and their behavior that we can develop a mathematical representation of that. Then, we can measure their actual behavior against that mathematical representation, see what the variance is between the two, calculate that in a risk score, and the risk score feeds the app that provides access based on what that risk score is, and then, different apps can make different decisions based on different thresholds. So essentially, it’s a continuous authentication process.
Elements of a continuous authentication system
As Gordon’s experience at TwoSense indicates, many companies, typically small, focused startups, are working on continuous authentication software. Besides TwoSense, these include Biocatch, Plurilock, Okta and Acceptto, and which we’ll use as a good example of how these products augment traditional sign-on systems.
As Acceptto CEO Shahrokh Shahidzadeh told me, the company works from the premise that everyone’s user credentials are already compromised and that an organization’s only recourse is supplementing authentication with post-authorization using behavioral modeling.
The heart of Acceptto’s system is the eGuardian cognitive engine that tracks and learns ‘normal’ behavior patterns for users, devices and applications. Shahidzadeh says its ML model uses factors like:
- Someone’s device and application usage (via app and browser fingerprinting), temporal and geographic patterns (typical times of day and locations when accessing internal systems) and network parameters.
- Behavior after authorization, such as systems and file shares accessed, how much data someone accesses, and shares and the applications used.
The system builds a profile of typical user habits that it uses to assess ‘normalcy’ in real time. For example, did you first login between 7 and 8 from what eGuardian geolocates to be your home, then drive 10 miles to another location where other users are the location (the office) before accessing other applications and data sources. Likewise, did you unexpectedly try and access a database you hadn’t previously used from a network address in Brazil and then, one hour later, another database from an address in Nigeria?
Shahidzadeh says Acceptto doesn’t just create behavior models for individuals, but groups of users or project teams in the same organization, along with a special model for “bad actors,” aka malevolent hackers, cybercriminals and identify thieves. Deviations from the normal approved behavior (for users and groups) or, for the malefactors' group, conformance to known bad behavior can trigger different levels of response, whether that is blocking the activity, sending an alert to the security team or pushing an update to network firewall rules.
A critical feature of behavioral authentication systems is the ability to work with an organization’s existing fleet of IT infrastructure, SSO software, and its enterprise directory, along with on-premises and mobile applications and cloud services. Acceptto achieves such integration via REST APIs, a mobile SDK, a separate It’s Me mobile app and plug-ins to third-party products.
Biometrics make continuous authentication more convenient
We must reiterate a critical distinction made in a paper by the International Biometrics + Identity Association, namely that behavioral biometrics are not designed to replace traditional 2FA password authentication but to supplement it. As the paper points out,
By offering an additional, continuous layer of identity assurance, behavioral biometrics prevents the password from being a single point of security failure.
A critical challenge with a continuous authentication system comes when a user’s activity prompts a so-called risk score that forces action. High enough risks are easy enough to handle - the user is disconnected from the network and all applications. In grey areas, it’s better to force a reauthentication, however, a full 2FA session might not be required if biometrics have been securely linked to a user’s identity.
Apple does this in iOS and uses biometrics to make its authentication regime for privileged functions (such as App Store purchases, app access, etc.) more granular since the advent of FaceID. Independent security analyst, Rick Mogull cogently summed up Apple’s implementation of continuous authentication this way (emphasis added),
In short, Face ID allows your iPhone X to authenticate you under nearly every circumstance you need without requiring any action other than looking at the screen, which you’ll do anyway...I’ve previously said that Touch ID lets you use a strong password with the convenience of no password at all. Face ID exceeds that mark, and its introduction of continuous authentication may be the ultimate expression of effortless security.
Facial recognition is but one biometric that can be used for convenient re-authentication, however other physical characteristics can be uniquely modeled including movement, gait or hand position when using a device, behavior patterns such as finger pressure and cadence when typing and voice.
User reauthorization and security monitoring are a compelling use of the combination of behavioral analysis and biometric authentication. However, as the IBIA report highlights, other promising applications include fraud detection and prevention, insider threat detection and data loss prevention.
The appeal of continuous user security spans industries according to Shahidzadeh, who says that Acceptto customers aren’t confined to the usual security-conscious businesses like financial services, but include companies in other businesses and higher education. The common denominator is an organization that tends to be an early adopter of new technology and that recognizes the limitations of conventional authentication systems.
A classic problem for security systems is striking the right balance between convenience and security. Tilt too much towards the latter at the expense of usability and you’re destined to fail under the weight of user resistance. Thus, the success of continuous authentication hinges on its usability, which is where the combination of fast biometric scanning paired with background ML data analysis is critical.
While initial products seem to have successfully navigated the competing values of usability and security, the ultimate success of continuous authentication systems hinges on their ability to incorporate new biometric features, minimize the friction of reauthentication and continual monitoring and resist (or, more likely, rapidly redress) compromises by hackers finding weak points in the design and its implementation.
Despite the potential for continuous authentication to significantly improve security, enterprises first need to get the basics right, and on this front, the data indicates there’s plenty of work left to do. A survey by the Ponemon Institute for Yubico (a leading provider of 2FA technology, so some skepticism required) finds that only 45 percent of respondents say their organizations require employees to use two-factor or multi-factor authentication to access enterprise accounts. Of those, a plurality use codes sent via SMS, which as I previously detailed are the least secure form of 2FA.
Since 2FA is the secure foundation on which a continuous authentication system is built, it means that most organizations should focus on improving their sign-on procedures before considering a product like Acceptto. Fortunately, security laggards have time, since biometric-enhanced continuous authentication technology is nascent and will rapidly improve over the coming years. However, there’s no time to waste since the risk and cost of security breaches has never been higher and, as recent ransomware and IP theft incidents demonstrate, every organization is a potential target.