Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Network World editors.
Usernames and passwords act as a gateway. Insert another authentication step on top of these credentials and this gateway becomes harder to infiltrate. But once access is gained, how can the device or Web application be certain that the authenticated user is, in fact, the same person throughout the entire session?
For example, you may log in and walk away from your device, creating an opportunity for someone else to take over your session and thus, your identity. Or more commonly, you may hand the device to a colleague – a non-authenticated user – trusting they won’t do anything nonsensical or malicious. In fact, according to a survey by B2B International and Kaspersky Lab, 32% of respondents who share an Internet-enabled device with their relatives, colleagues or friends noted that they do not take any precautions in protecting their information.
The reality is clear: People share devices and web applications with little concern for the potentially detrimental consequences – whether a coworker gains access to proprietary information or an acquaintance accidentally views personal medical records or bank account details. Traditional one-time or two-factor authentication methods are no longer sufficient. Without continually checking you are who you say you are, it’s next to impossible to tell who is actually using the device or web application at any given time.
The future of identity and access management (IAM) must be rooted in continuous authentication. So, where is the industry in developing these tools? And, what needs to occur for continuous authentication to take hold as a reliable, more secure element of IAM?
Tools in development
A promising form of continuous authentication is centered around unique human behaviors. Known as behavioral biometrics, these tools can monitor things like keystroke patterns – which analyze typing rhythm, mouse movement, iris patterns and more. The technology acts in the background, unbeknownst to the user.
By tracking these actions and building a unique behavior-based profile, the technology can automatically and continually check to see if a device switches hands, or a Web application switches users. For example, when tracking keystroke patterns, the tool can determine how quickly you find the right key and how long you hold down certain keys. If the typing pattern becomes abnormal, the non-authenticated user will get locked out of the device or Web application.
Other techniques being developed include behavioral profiling, which uses Webcams to monitor your face and even the color of clothing, as well as micro-movement and orientation dynamics that take into account how you grasp, hold and tap your smartphone.
Sign up for CIO Asia eNewsletters.