User authentication is one of the most important and fundamental building blocks of security. Authentication is built on username, password, token, biometrics or any combination of these. Regardless of the model, authentication is performed when the user starts his/her interaction with the target system.
What do you do if you require a higher level of authentication? What if you need to make sure the user interacting with your system is always whom they say they are. This is where the concept of continuous authentication comes in. We started to see this concept implemented for the mass-market with the Apple Watch and Apple Pay. You authenticate Apple Pay once and as long as the watch stays on your wrist (validated with a pulse), you do not need to re-authenticate. Apple pay can be sure that the person wanting to make a payment is the user that authenticated originally.
Continuous Authentication is a paradigm shift moving authentication from an event to a continuous risk management process.
Dynamic risk-based authentication means the system is continuously monitoring changes to environmental parameters and can decide the trustworthiness of users continually.
The shift to continuous authentication is inevitable. Not only will it make authentication more natural for the user but it will allow security administrators to implement much tighter security models.
As an example, if the user walks away from the computer, the system could notice and freeze the interactive session. Another example is a user working on a PC is tricked and launches malware. The system could be intelligent enough to know that a rogue process is attempting to masquerade as the user and block access.
Continuous authentication is to use the full array of modern technologies and others that have yet to be released. Parameters such as keyboard typing speed and style, how the user swipes on a touchscreen device, how the user moves the mouse, the camera input (from modern day cameras), gait analysis using the accelerometer in a smartphone or smartwatch, etc.
Although continuous authentication will be easy for users, expect it to be very complicated for developers. Expect this to be a burgeoning market in the coming years, something most security professionals have to start thinking about. We expect to start seeing serious mass market products around 2020-2021.