In our last post, we discussed why context is such a vital component of a dynamic authentication solution. Now let’s look at another key characteristic of dynamic authentication: continuous.
For authentication to be truly effective in today’s threat environment, it needs to take place at multiple points within a user’s session—but without having a negative impact on experience or productivity. As noted in our latest white paper, “Dynamic Authentication: Aligning the Authentication Experience with Risk, Reputation and Reward,” the old days of the “single padlocked gate” strategically located at the “login” page are over.
If the traditional role of authentication is to “corroborate a claimed identity to an agreed-upon level of assurance,” we must modernize and update our understanding. We need to now say authentication must corroborate a claimed identity to an agreed-upon level of assurance at any time during the user’s journey. This simply reflects the reality of our surprisingly porous digital world.
This new authentication approach ignores the padlocked single-gate paradigm in favor of a model with many different gates and doors that all require varying levels of assurance, including authentication methods both visible and invisible. In so doing, it addresses challenges such as man-in-the-middle (MITM) attacks against mobile and other platforms.
As the IEEE noted in a 2016 report, MITM attacks are among the most well known in computer security, “representing one of the biggest concerns for security professionals. MITM targets the actual data that flows between endpoints, and the confidentiality and integrity of the data itself.”
Even without the existence of threats like MITM attacks, an organization might receive signals that indicate a sudden increase in the level of risk and need to re-authenticate a user at any time. “Any time” may include authentication not only at login, but also at product selection, at checkout, or when altering shipping information.
When we stop focusing on the padlocked gate and instead focus on delivering the right level of authentication for the current level of risk, we immediately gain additional benefits in usability and overall experience.
“Continuous” as it pertains to authentication is actually more of an approach or mindset than a technology or even a product capability. Behavioral authentication solutions often claim sole ownership of this “continuous” capability, but there are other ways to achieve this ongoing recognition and assurance. Knowing a device in detail – through device fingerprinting and real-time recognition – enables pattern-matching and provides machine learning-enabled continuous authentication. When you can tell—at every page on a Web site—whether the device accessing the page was the same one that started at login you can more effectively mitigate session hijacking and MITM attacks.
As Frank Dickson, a research director in International Data Corp.’s (IDC) Security Products research practice, notes in a recent CSO article, “continuous authentication is form of dynamic, risk-based authentication, [which] changes the perspective of authentication from an event to a process. Dynamic, risk-based authentication examines attributes that change and continually looks to validate the authentication.”
The concept of continuous authentication remains relatively new, and industry experts say few products are available in the market. One example comes from Entrust Datacard, a provider of trusted identity and secure transaction technologies. Entrust Datacard earlier this year entered into an OEM partnership with iovation to combine their adaptive authentication solution with iovation’s device- and risk-based authentication services, which use sophisticated pattern matching and a constantly evolving knowledge base of more than 3.5 billion devices.
This joint solution enables organizations to provide users with a transparent, secure experience that delivers step-up authentication when a user’s registered device is identified as a risk.
The concept of continuous authentication will no doubt gain traction as organizations seek more effective ways to prevent account takeovers without trampling on user experience.
Want to learn more about the role of continuity in dynamic authentication? Download the complete white paper at: https://www.iovation.com/resources/white-papers/align-authentication-with-risk-reputation-and-reward