How to Implement Continuous Authentication Safely


Posted on by Rohan Pinto

Today’s enterprise networks are like a house, where we lock the front door but still need to worry about other attack vectors like windows, other doors, etc. Meanwhile, inside the house, sensitive documents are typically kept under lock and key. Continuous authentication works the same way; just as you wouldn’t let a service technician wander around your home unchecked, continuous authentication grants access to each resource based on an analysis of risk and identity.

Most organizations have layers of risk associated with different activities; customer data is more sensitive than a gated document used for marketing. Continuous authentication checks a user at every point of access against a user’s profile and levels of risk to decide if that user will be allowed access to that resource in your network. It becomes part of a Zero Trust infrastructure as the trust-but-verify component that makes it effective.

Implementing continuous authentication requires the following three capabilities:

  • Support for multifactor authentication (MFA): Passwords are the weak link in information security. Any Zero Trust environment that relies on them is flawed from the start. But it can be improved using a least-privilege approach that requires additional authentication as users move around the network. This involves replacing traditional allow-or-deny responses with more fine-grained options that enforce step-up authentication methods like biometrics for high-risk access requests or transactions. For example, approving payment of a $100 invoice would not require a strong authentication challenge, but a $10,000 transfer in the same session would.

     

  • Identity governance: The ability to assure users have the right level of privileges for their role is a must to maintain continuous authentication. Administrators can sometimes take the path of least resistance and assign wide policies by default. To avoid this, consider an identity governance solution that automates control of “who has access to what” across a mass of identities in the system. But first, user identities need to be clearly defined with the proper access policies to determine the risk of their activities. An identity tightly aligned to access controls will ensure high identity assurance at each access request and lower risk profiles.

     

  • Real-time threat monitoring: Another underlying principle of continuous authentication is the ability to detect abnormal behavior or activity in real time that may be indicative of session hijacking or other malicious activity. This typically involves risk scoring activity by comparing previous behavior and conditions, such as location, browser, or device being used, to determine whether access should be granted or if additional authentication steps are necessary.

     

  • Unlike traditional authentication, which actively challenges users for an identity verification factor at initial login to a system, continuous authentication can challenge users to reauthenticate, sometimes with a stronger form factor, at various points in their journey when a higher-than-normal level of risk is detected. For example, if a user normally accesses resources from an IP address in New York using their MacBook and iPhone but suddenly logs in from Malaysia using a Chromebook and an iPhone, that two-out-of-three mismatch would trigger a step-up authentication challenge.

One key roadblock to implementing continuous authentication is false positives that enforce step-up authentication unnecessarily, which can impact productivity and frustrate users. This is often due to the fact that continuous authentication involves a combination of processes and technologies. To avoid false positives, consider these best practices:

Invest in identity verification to automate policy management.

Implement strong MFA that closes security gaps by eliminating passwords and one-time codes that can be intercepted and replacing them with verified biometrics.

Use security information and event management (SIEM) to monitor activity and behavior.

Ensure the above technology stack is tightly integrated to work together.

Effective continuous authentication comes down to discipline: a zero-trust approach coupled with strong identity verification and effective threat monitoring. If applied properly, it can stop attackers from reaching sensitive assets and stealing data even if they have managed to compromise a user account.

Contributors
Rohan Pinto

CTO, 1Kosmos

Identity

access control authentication biometrics identity management & governance SSO

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community