Beyond Logins: Continuous and Seamless User Authentication

User authentication is usually discussed in the context of the person’s initial interactions with the system—a safeguard often implemented by a classic login screen. However, one-time validation of the user’s identity is becoming insufficient for modern devices and applications that process sensitive data. Such situations might benefit from a seamless authentication approach that incorporates continuous verification of the user’s identity.

Initial attempts at continuous user authentication can be seen in security policies that lock the user’s workstation after a period of inactivity or settings demanding that mobile phone users enter their PIN every few minutes. These traditional security measures annoy people and leave much room for innovation.

Continuous user authentication could occur transparently by spotting anomalies in which the user interacts with the system. Such methods could avoid interrupting the user unless the system begins to doubt the person’s identity. For instance, the user’s web application activities could be continuously scrutinized for deviations from normal workflow and UI interaction patterns. Similarly, a mobile phone could regularly examine the user’s bio-signs to spot an impostor.

The notion of continuous and seamless authentication isn’t new; however, it has yet to enter mainstream computing in a meaningful way. Here are a few examples of what might be feasible:

Continuous Authentication using Biometric Keystroke Dynamics and Keystroke Dynamics Based Human Authentication System using Genetic Algorithm discussed challenges and solutions for continuous authentication techniques based on the user’s typing activity.
Physical Access Protection using Continuous Authentication discussed prototype systems that continuously and seamlessly authenticated PC users through “video from a camera, and fingerprint images from a mouse equipped with a fingerprint scanner.”
Continuous Mobile Authentication Using Touchscreen Gestures proposed an approach that tracked the user’s user’s “unique touch features, such as finger pressure and trajectory, the speed and acceleration of movement” as the person interacted with the mobile device.
Continuous Identity Authentication Using Multi-modal Physiological Sensors proposed multiple physiological sensors that could be used for this purpose, including eye position, pupil size, skin conductivity, blink rate, etc.

Users of modern web applications and mobile devices demand strong security measures that don’t get in the way of normal activities. Continuous user authentication could help fulfill such seemingly unattainable demands by passively tracking relevant sensors and metrics, getting on the way only after observing an anomaly that exceeded a reasonable threshold.