Virtasant at re:Invent: Your source for re:Invent and cloud innovation this year

Learn More


Continuous Authentication: Superficial Confusion, but More Security

6 min read • Nov 09, 2020

By Evan Schuman

Evan Schuman has tracked IT cybersecurity—among other IT topics—for far longer than he'll ever admit. He has reported for SCMagazine/SCMedia, Computerworld, eWEEK, Ars Technica, Harvard Business Review, StorefrontBacktalk, and American Banker, among others.

Share article

The name of security technology is supposed to telegraph its functionality, but in the case of continuous authentication, the name does a great disservice to the technology and, more critically, to the CISOs and CSOs who potentially benefit.

Done properly, continuous authentication theoretically delivers a secure enterprise environment that happens to be especially frictionless. Historically, the biggest obstacle to effective security is a lack of employee or contractor support purely due to hassle. That's why it's important to not discount the frictionless nature of continuous authentication—it happens in the background so users don’t need to take any action, unless the system suspects that they are attackers. Getting end-user cooperation impacts security effectiveness far more than is typically assumed. 

The essence of continuous authentication is a combination of existing authentication tactics including biometrics, robust MFA, behavioral analytics and AI's machine learning. And yes, some of these—I'm looking at you, behavioral analytics and ML—have mixed records because of the fine-tuning needed for any kind of analytics. That's why continuous authentication has great potential, but its reality is still theoretical, depending on how the implementation is handled. Still, it has some of the greatest potential security defenses today.

Post-COVID Security Fears

Perhaps the most potent of the continuous authentication elements is behavioral analytics, but that's mostly because it is the component that goes well-beyond authentication and can track everything users try to do long after they have been granted initial access. That's where security approaches that were created pre-COVID when perimeter defenses were much more of an issue, fail. Once those other systems conclude that the user seems to be who they are supposed to be, they move on. Which is what cyber thieves want.

Once those other systems conclude that the user seems to be who they are supposed to be, they move on. Which is what cyber thieves want.

The "continuous" part of continuous authentication indeed means that the authentication mechanism never stops. If the authenticated user works for a supply chain and suddenly is trying to download company payroll files, that's a massive flag and a reason for them to be locked out until a human overrides it. And even if these users stay within their typical areas, the system notes if what they do—such as downloading an unusual number of files or deleting an abnormal number of records—deviates from their established pattern.

Some continuous authentication advocates stress time-of-day and location-tracking, but those particular factors can have a high false-negative rate, as telecommuting workers shift their hours and use VPNs, which can display false geographies.

What’s In a Name

And that's where the naming problem comes in. For many experienced security professionals, "authentication" means verifying a user before giving them system access. It's a binary concept: either the key fits into the deadbolt or it doesn't; either the credentials presented match what the system expects or they don't. Therefore, "continuous authentication" can seem to many as another binary form of network security, a better replacement for passwords. 

Although continuous authentication certainly does that—and does it frictionlessly—the much more intriguing part is its ability to watch a user during an entire session. In that context, "continuous" refers to continuous monitoring with a digital finger on the "kick the user off the system" button, in case a material deviation is detected. 

As for that initial identity verification, continuous authentication is only as effective—and accurate—as the number of data points it analyzes. If the system is routinely checking 80 data points, it will likely have far fewer false positives and false negatives than if it is using only 10 data points. That's why implementation and configuration details are so critical. It doesn't end with the number of data points analyzed. How are they weighted? Does the system cut off a user during any anomalous effort or are there only a handful that merit disconnection while others merely send an urgent text to a supervisor and the security operations center for a human decision?

Another consideration is the implementation of MFA (multi-factor authentication). Earlier, I said "robust MFA" to differentiate it from the kind of sloppy insecure MFA that far too many enterprises continue to use today. Given how insecure and subjective the popular tactic of texting an encrypted numeric string to a user's mobile device is, it is disturbing how many large businesses still use it. But using one of the many encrypted apps—where a user types in a one-time numerical string that is only good for a limited time—is far more effective and is resistant to most entry-level attack methods.

How Times Have Changed

Today's enterprise defense landscape (aka threat environment) is multiple orders of magnitude different from what enterprises dealt with last year. Heck, it's multiple orders of magnitude different from what enterprises were dealing with in late February. The changes are primarily a massive increase in remote sites that flip the dataflow/people model from roughly 90 percent internal to 90 percent external, a sharp increase in both authorized and Shadow IT cloud usage plus far more IoT and the consumer-grade least secure version of IoT at that.

Even setting aside IoT, cloud and other related items, the remote changes on their own—that 90-to-10 reversal—means that enterprise CISOs need to defend an environment that has changed more in months than enterprise security landscapes have ever changed. I'm hesitant to say ever, but in this instance, it's actually “ever”. And yet, with few exceptions, enterprise security departments are still defending these environments in pretty much the same way. 

For the moment, enterprises have not experienced massive security catastrophes yet because, candidly, the cyber thieves and cyber attackers seem to be lazy and as resistant to change as the industry. The bad guys have changed the speed and number of their attacks, but their methodology has yet to sharply change. Yet.

CISOs need to reevaluate their thinking and their tools and create a defense strategy that makes sense for today's mostly-external environments. Approaches such as continuous authentication are one part of that thinking. It's also an excellent way to get more comfortable with its components, such as AI machine learning and behavioral analytics, as those components can play a major role in security well beyond what continuous authentication can do. 

Think about how SOCs can better analyze attacks and their dozens of threat intelligence feeds in 2021. As the number of attacks and feeds soar, ML is becoming an essential means to recognize a new threat and propose a quick countermeasure. In fending off a massive attack (more along the lines of social engineering and phishing aimed at ransomware as opposed to halting a D-DOS), minutes can make the difference in stopping an attack before it’s grabbed (or deposited) its payload. Continuous authentication, regardless of what it's called, is a powerful way to thwart such attacks before they start.

Evan Schuman

By Evan Schuman