Many Continuous Authentication Solutions Aren’t What They Claim to Be

Continuous authentication is one of the keys to a complete, effective zero trust strategy—but many such products don't deliver authentication that's continuous at all.

As "zero trust" picks up cybersecurity steam, more and more companies are considering continuous authentication solutions. This trend will likely accelerate now that NIST 800-207 has essentially outlined continuous authentication to be a zero trust prerequisite. 

Happily for companies seeking to deploy it, continuous authentication isn't a vaporware category—there are multiple products on the market that claim to offer continuous authentication capability.

What they should understand, however, is that not all such solutions are created equal. In fact, we're going to go out on a limb and say that in too many cases, products that claim to offer continuous authentication simply don't.

Let's take a look at two types of products that illustrate this problem.

Type 1: “Continuous Authentication” That's Not Continuous

The first type of continuous authentication solution that we're dubious about is the product that operates by calculating a risk score using:

Sure, a fingerprint scan can be acquired quickly at any time. But can your users keep their fingers on the scanner all day? If not, it’s not “continuous authentication.” © Milkos / Dreamstime
  • Fingerprint scanners
  • Face ID or facial recognition
  • Dedicated one-tap security devices

Let's cut right to the chase—all of these things require users to do something for authentication to take place. When the user isn't doing that something, they simply aren't being authenticated.

Yes, a fingerprint scanner can be kept ready to provide authentication on short notice, but there are no practical scenarios in which a user can be expected to keep their fingerprint on the scanner all day, continuously. The same holds true for most forms of facial recognition or one-tap security devices.

So even though some companies advertise these technologies as a form of "continuous authentication," we'd argue that they're generally better described as various kinds of periodic or on-demand authentication.

Yes, they're better than simple reliance on login credentials, but they simply don't offer anything like full-session or full-day identity verification as work happens.

Type 2: “Continuous Authentication” That's Not Authentication

The second type of continuous authentication solution that we're dubious about is the product that operates largely as a matter of device proximity:

  • The user “authenticates” themselves by possessing a device
  • The proximity between this device and the workstation is monitored
  • So long as the device remains near the workstation, they are "authenticated"
To a system that only monitors the proximity of a security device, every user looks the same—and when every user looks the same, what you have can’t honestly be called “authentication” at all. © Robert Adrian Hillman / Dreamstime

The exact technology being used to sense proximity in each case is less important than the basic concept. So long as the authentication device hasn't strayed far from the work system or area, the user is presumed to be the right user.

This kind of product or technology does operate continuously, but in most cases it does so without actually authenticating the user.

The fact that a particular device remains in a particular area is no guarantee that any one particular person is in the same area. The device may have been stolen and used by a third party, or the device may have remained in the area as one user left and another user entered.

What this kind of "continuous authentication" is able to ensure that a security device of some kind has remained in a particular area. Unfortunately, it's unable to ensure much of anything about any nearby users.

True Continuous Authentication Means Behavioral Biometrics

In fact, there is only one technology on the market right now that we believe is able to provide true continuous authentication.

Authentication products that rely on behavioral-biometric  technologies fit the "continuous authentication" bill in ways that the other products above simply don't.

Behavioral-biometric technologies actually authenticate users:

  • They recognize actual human users rather than credentials or devices
  • They do this in a way that can't be lost, stolen, or impersonated

And they are capable of continuously authenticating users:

  • They work by passively observing micro-patterns in movement
  • They can do this all time time, without pauses or interruptions
  • In ways that do not interrupt the user as they work

For these reasons, behavioral-biometric continuous authentication solutions stand apart from the other "continuous authentication" solutions.

Plurilock's DEFEND product,  for example, analyzes micro-patterns in keyboard and pointer activity and authenticates users every 3-5 seconds for the duration of the workday or computing session.

There are no extended gaps between authentication events—and there's no way to fool the system by getting ahold of a legitimate user’s authentication device.

Only Zero Compromise Can Deliver Zero Trust

The discussion above illustrates the difference between true continuous authentication with behavioral biometrics and the assortment of far less effective technologies that are often sold under the "continuous authentication" banner.

When NIST outlines the user authentication practices required for zero trust in its SP 800-207 draft standard, it's clearly intending to recommend technologies that both authenticate users and that do so continuously.

To date only behavioral-biometric technologies demonstrate these capabilities together, and we think of this as a stringent, no-compromise requirement—after all, zero means zero.

Trusting that the current user is the same one who scanned a fingerprint half an hour ago—or trusting that a small, easily stolen security device is actually being carried by its rightful owner—doesn't get you there.

Continuous authentication with behavioral biometrics, on the other hand, does. ■