In the fast-paced digital landscape, security remains a top priority for businesses of all sizes. But as cyber threats become increasingly sophisticated, traditional authentication methods like multifactor authentication (MFA) or two-factor authentication (2FA) may fall short in providing the seamless and robust protection businesses need. This is where continuous authentication steps in – methodology for verifying identity in real-time without compromising user experience. That sounds really nice! But how do you actually implement that for your organization? Let us delve in and learn about this space, including the pros and cons of different bleeding edge approaches.
Spoiler alert: Continuous authentication is finally attainable!
First, what is continuous authentication?
Continuous authentication is the appealing vision of a security technology that—as the name suggests—continuously verifies a user’s identity as being authentically theirs throughout their entire session or interaction with a digital system. In contrast to traditional authentication methods that require users to regularly authenticate themselves, which can occur numerous times throughout a workday, continuous authentication constantly monitors user actions, ensuring a constant measure of security.
How does continuous authentication work?
The core principle behind continuous authentication is the use of multiple factors to verify a user’s identity in real-time. These factors can be based in behavioral biometrics like keystrokes, mouse movements, typing speed, and touch patterns, as well as in device-related characteristics such as IP address, location, and device type.
The purpose of continuous authentication is to thwart two common threats. On one hand, some rogue individuals may try to log in as the user with their credentials or take over the login session from afar (perhaps by stealing a token or a cookie). On the other hand, an attacker may have compromised the very device on which the user is working, perhaps lurking there until the user has completed the initial authentication phase. This last point is why spear phishing attacks can be so insidious – traditional authentication methods fail to distinguish between an ordinary user and one who is harboring an imposter on their computer.
As the user interacts with a platform, system interface, etc., their actions are constantly compared against the referencing factor, i.e., biometrics, IP address, passwords, and so on.
How is continuous authentication implemented?
Continuous authentication in its purest form begins when a user logs into a system. A common approach is continuous risk-based authentication, which monitors whether any of the mutable characteristics change against an established baseline. As the user interacts with a platform, system interface, etc., their actions are constantly compared against the referencing factor, i.e., biometrics, IP address, passwords, and so on. If the system detects any suspicious activities, such as unusually fast typing or login attempts from an unfamiliar location, it can trigger additional verification measures, such as multi-factor authentication (MFA/2FA), of the user’s identity or prompt automatic session termination to avoid unauthorized access.
Why risk-based continuous authentication fails
Unfortunately, risk-based methods, as anyone who’s suffered through online banking has experienced, are fallible since behavioral models fail to distinguish between an attack and a legitimate change in user behavior. Yet, when it comes to user behavior, the only constant is change. Risk-based continuous authentication, such as those based on behavioral biometrics, often deliver false positives with even the slightest hiccup in behavior change. When a user inevitably modifies their behavior, a sensitive system may deem it as a threat and lock them out or require more onerous proof of identity, leading to a huge inconvenience on the user’s side. An insensitive system, on the other hand, fails to detect a legitimate attacker. This fundamental struggle with balancing false positives against false negatives is why we believe risk-based authentication does not reach the mark we think of when we say continuous.
But does continuous authentication have to rely on speculative risk-based models? Intriguingly, the answer is no: they don’t! The key insight is that continuous authentication exists to validate user intent, and user intent can be tied to physical user input in a manner that an attacker can’t forge.
The only constant in life in cybersecurity is change.
– Heraclitus, Greek Philosopher
– Ymir Vigfusson, Keystrike co-founder
Making a case for cryptographic attestation
Cryptographic attestation works by assigning a cryptographic signature to every physical input made by the user. These signatures allow for real-time identity verification: the keystroke or mouse click was verifiably made on the device that had the corresponding private key. As users interact with a system or application, every keystroke’s signature tells system admins that this person typing on this particular device is exactly who they say they are. Every user’s intention is vetted. Should a hacker with backdoor access to a compromised device attempt to use it to move laterally to another privileged device, their lack of attested signatures to simulate such a user intention will immediately freeze them in place. So long as the device has not been physically compromised, this highly-secure experience is seamless to the user.
Continuous authentication exists to validate user intent, and user intent can be tied to physical user input in a manner that an attacker can’t forge.
When comparing the efficacy to continuous risk-based authentication, we believe that cryptographic attestation is the only true method of continuous authentication. Continuous risk-based authentication, set to any reasonable sensitivity, will still interrupt and annoy users. They create edge cases that make for a terrible user experience. Consider how biometrics would suddenly prove ineffective for a user who has broken their hand. A sufficiently sensitive risk-based model can’t compensate for such natural variations in human behavior, leading to arduous afternoons recalibrating the system to understand that the user has a broken hand.
At our core, we want to live in a world in which authentication is no longer a hassle—no longer an annoying and in some cases time-consuming impingement day after day. As far as we’ve seen, cryptographic attestation is the only technology with the potential for delivering such a future.
Key benefits of cryptographic attestations
- Convenience: Unlike traditional 2FA and biometrics, which often introduce delays and interrupts user workflows, cryptographic attestations work seamlessly in the background without requiring additional verification steps.
2. Neutralize spear phishing by stopping lateral movement: Ensure that every action taken by the user is uniquely tied to their identity and the physical device they are using. In the event that a hacker has successfully phished an employee, their lack of attested signatures promptly freezes out any hacker who attempts to move laterally through a system.
3. User accountability: Cryptographic attestation leaves no room for shared or compromised credentials, ensuring that user actions are traceable to specific individuals.
4. Hacker alerts: Cryptographic attestation allows us to recognize unwanted movement even before hackers strike the next server. The moment suspicious activity is detected, you’ll be notified of the situation.
5. Frictionless experience: Cryptographic attestation can seamlessly integrate into existing authentication systems, eliminating the need for repetitive keylogging and reducing friction in the user experience.
6. Increased productivity: By eliminating the interruptions and time constraints associated with traditional authentication methods, cryptographic attestation empowers users to work efficiently and without unnecessary disruptions.
Relieving employee shame
The fear of accidentally granting unauthorized access to company systems is a genuine concern for employees, and for good reason—being the individual at fault can result in an unbearable amount of shame. While we believe employees should always attend their cybersecurity awareness seminars, we also believe that putting system integrity on the shoulders of employees whose role has nothing to do with digital security is, to put it bluntly, uncalled for.
Cryptographically attested continuous authentication addresses this issue by proactively tying a user to their specific machine—to their specific keystrokes. Even if an employee falls prey to a phishing scam, the hacker would have to physically take charge of the keyboard in question in order to issue any commands. The hacker would find their own keyboard frozen, every keystroke sending a signal to system admins alerting that they have a breach.
Unlike traditional 2FA and biometrics, which often introduce delays and interrupts user workflows, cryptographic attestations work seamlessly in the background without requiring additional verification steps.
How cryptographic attestations can revolutionize continuous authentication, industry to industry
Energy and utilities
In May of 2021, the Colonial Pipeline Company found themselves the victim of a ransomware attack initiated by the hacker group DarkSide. The attack resulted in excessive financial loss and the pipeline went down for several days, causing hysteria in the affected areas. According to Bloomberg, the hackers were able to access the company’s system via a discarded user account that had been used to remotely access company servers, but here’s the kicker: Said user account wasn’t using any form of authentication. In other words, one of the largest cybersecurity breaches in American history wasn’t the result of meticulously executed, genius hacking; the Colonial Pipeline Company simply left the door unlocked.
So then, post attack, let’s say the CPC decides to improve security with risk-based continuous authentication. In front of an experienced hacker, this would effectively be the equivalent of suddenly throwing an all too jumpable hurdle in front of a more than capable track and field star. The hacker could simply phish another remotely connected employee and, if successful, begin to move laterally throughout the system. Here’s the point: Using cryptographically attested continuous authentication over risk-based speculation offers a stronger solution because, even if a cybercriminal gains access to a compromised device, their attempts to manipulate critical systems would be thwarted since their keystrokes lack the cryptographic signatures verifying legitimate user intent. Even if the hacker breaks past CPC’s new bolted lock, there are systems in place to stop the attack.
The State of Authentication in Finance Report shows that 94% of the financial institutions suffered some kind of cyber threat within the survey’s twelve-month range.
Banking and financial services
The State of Authentication in Finance Report, commissioned by HYPR, showed that the current authentication methods being used by the alarming majority of financial institutions is leading to dangerous breaches in security—not to mention the operational disruption caused by said breaches. HYPER says that, of all the financial institutions surveyed, 94% suffered some kind of cyber threat within the survey’s twelve-month range, with phishing being the most prominent method of attack.
HYPER’s survey is a blatant indication that current methods of authentication aren’t cutting it, multiple forms of continuous authentication among them. But not to worry! Cryptographically attested continuous authentication presents a transformative shift. Looking at financial institutions in particular, cryptographic attestations turn users’ keystrokes into digital signatures, eliminating the need for additional verification steps on both employee and customer endpoints. Imagine Bob, a bank customer, initiating a transfer with perfect ease—authentication is happening, but its presence doesn’t disrupt his busy day—all the while the bank’s system is kept safe and secure.
Transportation and logistics
A 2021 report from BlueVoyant, a cybersecurity services company, showed that 90% of the supply chain and logistics companies studied are using open remote computers or administration ports, and little to no email security. Reflecting back on the near-cataclysmic event that was the Maersk/NotPetya ransomware attack of 2017—in which the Dutch shipping firm Maersk suffered $300 million in damages after being unable to access their systems for more than 2 weeks—it should be obvious that global supply chain leaders using menial methods of authentication is simply inappropriate. Just imagine: Combine a compromised high-profile shipping company like Maersk and add the nightmare-grade logistical pressures of the COVID-19 crisis, and the implications are devastating. Even “passable” authentication will not do.
But with cryptographically attested continuous authentication, companies can secure supply chain information and logistics data effectively. For example, take a logistics manager interacting with sensitive shipment details. With cryptographic attestation, their keystrokes are now uniquely signatured, preventing unauthorized access. Even if an attacker has successfully made their way into the system and is attempting to manipulate logistics data in the logistics manager’s name, their lack of attested signatures halts lateral movement and ensures the integrity of the information, and therefore the integrity of the system as a whole.
Imagining a world with Keystrike
At Keystrike, we like to imagine a world where organizations no longer rely on cumbersome two-factor authentication methods. The era of passwords and authentication codes may soon become a thing of the past as continuous authentication paves the way for a more secure, convenient, and trusted digital future.