User authentication is usually discussed in the context of the person's initial interactions with the system—a safeguard implemented by the classic login screen. However, one-time verification is becoming insufficient for modern devices and applications that process sensitive data. Such situations benefit from seamless authentication that incorporates continuous validation of the user's identity. Such measures are no longer a theoretical possibility, thanks to biometrics.
Traditional attempts at authenticating the user beyond the initial login are awkward at best. They might involve prompting for a password or PIN after inactivity or some time intervals. For instance, WhatsApp periodically asks for a PIN if the user enabled two-factor authentication, supposedly to "help you remember your PIN." Such intrusive measures get on the way of normal interactions. They leave much room for innovation, which is starting to appear in today's products.
Behavioral and Physiological Biometrics
It's possible to implement continuous authentication by spotting anomalies in the way the user interacts with the system. Such methods could avoid interrupting the user unless the system doubts the person's identity based on his or her behavior. For example, the user's web application activities could be continuously scrutinized for deviations from normal workflow and UI interaction patterns.
Similarly, a system equipped with the necessary sensors could monitor the user's bio-signs, such as facial expressions or movement patterns, to spot an impostor based on unexpected changes in physiological characteristics.
Ideas from Research
The notion of continuous and seamless authentication based on behavioral and physiological biometrics isn't new. Here are a few ideas documented by the research community:
- Continuous Authentication with Keystroke Dynamics and Keystroke Dynamics Based Human Authentication System using Genetic Algorithm describe the challenges and solutions for continuous authentication techniques based on the user's typing activity.
- Physical Access Protection using Continuous Authentication discuss prototype systems that continuously and seamlessly authenticated PC users through "video from a camera, and fingerprint images from a mouse equipped with a fingerprint scanner."
- Continuous Mobile Authentication Using Touchscreen Gestures propose an approach that tracked the user's "unique touch features, such as finger pressure and trajectory, the speed and acceleration of movement" as the person interacted with the mobile device.
- Continuous Identity Authentication Using Multi-modal Physiological Sensors explain how multiple physiological sensors can be used for this purpose, including eye position, pupil size, skin conductivity, blink rate, and so on.
Modern hardware and software developments have taken us beyond theoretical possibilities for authentication based on user interactions and bio signs. Consider the following products that can act as a starting point for continuous and seamless user authentication.
Face-Based Authentication
Apple's release of Face ID for iPhone is an example of the role that unobtrusive authentication can play in securing users' interactions with their devices with minimal friction. Face ID authenticates the user when the person glances at the device. Some Android phones have similar abilities as part of their Smart Lock feature set; Google calls this capability Trusted Face. When equipped with compatible hardware, Microsoft Windows can accomplish this as well using the Windows Hello face authentication feature.
Face-based authentication can act as the basis for continuous verification of the person's identity without interrupting the legitimate user's experience. Armed with the appropriate API access, developers could use such capabilities to lock out the user from the device or application when the expected face disappears. In such scenarios, security won't get on the way unless absolutely necessary.
Physical Movement for Authentication
Another example of a productized approach to using the person's physiology for authentication is Motiv Ring's WalkID. This smart ring can use its accelerometer to sense the walking pattern of the person wearing the device. According to the company, this feature "allows you to use your gait as a way to verify that you are who you say you are when accessing your accounts online."
It's easy to imagine implementing similar capabilities using the sensors built into today's mobile phones, for instance by observing how the person walks while carrying the phone or the manner in which the user holds the device. Like with face-based authentication, when granted access to the necessary sensors, applications could lock out the user when detecting anomalous gait or hand movements.
Voice Authentication
Voice offers another opportunity to use biometrics as a form of authentication, both for initial validation and for ongoing verification of identity. This method is already in use by quite a few banks for authenticating callers at the onset of the conversation. It's not hard to imagine how this approach can provide continuous authentication for ongoing phone discussions.
For example, ABN AMRO rolled out "voice verification for its 4 million telephone banking customers," validating callers' identities using many characteristics, including "pitch, frequency, soft and hard palate, jaw structure." Barclays explains that its voice authentication works by comparing the reference conversations on file to the caller's "subtly unique characteristics such as vocal tract length and shape, pitch and speaking rate."
Companies that voice-based authentication products include Nuance, HYPR, NICE, and others. (Listed in no particular order, since I lack direct experience with these firms.)
Authenticating users based on voice is becoming viable even outside the realm of enterprise applications. Amazon's Alexa can recognize voices to create personalized experiences based on users' individual "voice profiles." Similarly, Google Home can distinguish between the voices of its users. Though these capabilities are not yet sufficient for reliable authentication, they are a sign the features that will soon be possible even for routine, day-to-day interactions.
User Behavior Authentication
Another approach to continually and seamlessly authenticating users involves tracking their behavior with the website or application, noting anomalies that indicate a likely impostor. The system could note deviations from the way in which the person typically types, taps or uses the mouse.
For example, Royal Bank of Scotland uses this method by tracking "2,000 different interactive gestures. On phones, it measures the angle at which people hold their devices, the fingers they use to swipe and tap, the pressure they apply and how quickly they scroll. On a computer, the software records the rhythm of their keystrokes and the way they wiggle their mouse."
Companies whose products offer this continuous authentication method include BioCatch, Twosense, BehavioSec, and others. (Listed in no particular order, since I lack direct experience with these firms.)
The Future is Now
Users of modern applications, systems and devices value strong security measures to safeguard sensitive data, but only if they don't get in the way of normal activities. Continuous user authentication helps fulfill such seemingly unattainable demands by passively tracking relevant sensors and metrics, getting on the way only when an anomaly arises. Such security approaches are already employed by some organizations. They will become increasingly common in the near future.