Rob van der Staaij

Continuous authentication seems to be the new buzzword in a world where cyberrisks are soaring and passwords are more burdensome than that they contribute to a secure wellbeing. It is clear that passwords are no match against modern forms of cybercrime such as replay attacks, session hyjacking attacks and man-in-the-browser attacks. At the same time, people are becoming more mobile and the number of applications and devices they are using is ever increasing. All of these factors are making the need for password alternatives more and more urgent, especially in the case of high-risk transactions.

Already since decades a myriad of authentication methods has been presented as the final password killer, ranging from all sorts of hardware devices to a variety of biometric methods. Up to now, none of these has been proved capable of permanently banning the password. The reason for this has everything to do with finding the right balance between user friendliness, cost and security. Passwords may be less secure, but they are convenient and cheap to implement. Many people are lazy. They don’t want to be bothered too much for something they consider as a side-issue such as authenticating themselves. At first, biometrics seemed to be the egg of Columbus. This concept involves body and behavioral characteristics, which are unique per person, in the authentication process. Due to the high cost and complexity, biometric authentication initially failed to succeed.

Nowadays, however, biometrics are getting cost efficient and technically more feasible. More and more devices are provided with one or more biometric authentication mechanisms. This will be the pacemaker to continuous authentication. By combining multiple body and behavioral characteristics and monitoring these continuously, the degree of reliability increases and biometrics are thus more useful. Moreover, contextual factors, such as GPS location, IP address, time and device type, can be involved with the authentication process, making the whole concept even more reliable.

Continuous authentication (also called active or seamless authentication) can be explained as constantly verifying the identity of the user, for example by monitoring a combination of facial pattern, frequency of eye blinking, fluctuation of pupil size; and keystroke or swipe dynamics. This is in sharp contrast with convential authentication methods, in which the user authenticates him or herself only during the initial login process. This introduces significant risks, since sessions and identities can be taken over with a variety of cyber attacks such as the previously mentioned ones. Moreover, a mobile device can be grabbed out of one’s hands while performing a riskful transaction.

Of course, a number of challenges remain. Just those biometric methods that can be used for continuous authentication are less accurate. More precise methods, such as scanning the retina or iris, are less useful, as these require the user to look at the scanning mechanism from time to time. Also, a user may switch from working place or device. In a number of use cases, continuous authentication may need to be combined with adaptive authentication (also called step-up authentication or risk-based authentication), in which the user is presented with a stronger authentication method if the transaction will be more riskful. This will present more challenges from the viewpoint of implementation. Nevertheless, continuous authentication seems promising, especially for environments with a high risk profile such as financial organizations.


Is it right or wrong?

A big challenge of biometric authentication of any kind is the degree of reliability. Firstly, there are significant differences in reliability between the various biometric methods, but there is also a problem that all biometric methods have in common. This problem is known as finding the right balance between the false reject rate and false accept rate. The measurement or scanning of body characteristics must be accurate enough to exclude an imposter, but cannot be too accurate, since it may prevent the legitimate user from being authenticated. The physical characteristics of someone can vary, because of fatigue, illness, dirtiness; or aging. Also, the way by which the biometric feature is scanned will vary due to sensor noise and due to the fact that the angle or position of the body characteristic will vary during the scanning process.