Imagining continuous authentication as it should be: 3 short stories
I spend a large part of my day authenticating: simply proving that I am (still) me. It’s annoying and highly inconvenient. I’m sure you agree. Whether it be standard MFA or biometrics, email verification or hardware authentication, these systems are too hiccupy of an experience for users. The bandwidth between opening a service’s app and engaging with the actual service is unacceptably limited, this often paired with usability issues which the service provider’s IT team spends valuable hours fixing.
We endure the added inconvenience because of the extra security these sophisticated authentication methods are supposed to provide. But this is folly! MFA and biometrics still leave us alarmingly vulnerable to attacks, and are simply not robust or smart enough to handle the way hackers take advantage of human nature to breach security systems. Of course, MFA and biometrics and the like are indeed able to authenticate—in the general sense of the term—but aren’t powerful enough to know whether the user being authenticated unknowingly harbors a hacker on their system who would then also gain access. Such “living off the land” (LOTL) techniques have been a favorite for hackers for decades, and in some cases allow hackers to persist deeply within the organization because of the false feeling of security conferred by the sophisticated authentication systems; accidentally authenticating a hacker gives them an all-access pass to frolic through an organization’s system completely undetected.
A lack of both convenience and effectiveness culminates in an untenable situation: Authentication is broken, with no promise of becoming something more as security and authentication needs escalate.
But what if authentication systems were the convenient, effective, and ultimately capable security tools we want them to be? What if we reflected on the shortcomings built into our current systems and asked ourselves: What do we really need an authentication system to be able to do?
We invite you to walk through a couple of illustrative stories depicting what we imagine authentication could be like. Let’s put ourselves in the shoes of three different characters in three potential situations (online banking, accountancy, and AI) to show a world where authentication actually works
1. Bob unaccountably delights in mobile banking
Let’s say Bob wants to transfer money from his bank account. With traditional authentication, he would typically go through a series of steps, including entering his username and password to receive a one-time code via SMS or email, only logging in to complete the transfer after plugging in the code within a strict time limit or 30-60 seconds. You’re probably more than familiar with the drag that can occur next: If Bob doesn’t type the correct code in the allotted amount of time, he’ll be forced to start the process over again. And after typing in his password, looking up codes in his authenticator app, confirming his the device and whatnot, Bob then receives an additional set of identity challenges when adding a new recipient for transfers, and also when actually making the transfer. Oh, and that’s assuming you’re not traveling.
Why is Bob’s time being wasted by this tedious process for a simple funds transfer? Why, after typing a password or accessing a password manager, is Bob needing to copy-pasting a code or, when not copy-pastable, coming up with mental strategies to help him remember the code when he goes back to type it into the app? And why does initiating a bank transfer start with a race against the clock anyway on a device that’s certifiably yours?
Enter Keystrike’s continuous authentication. By assigning cryptographic signatures to each of Bob’s keystrokes, the system continuously authenticates Bob’s activity in real-time. As Bob types his transfer on his banking app, each of his keystrokes is the equivalent of saying, “This is Bob on Bob’s computer, this is Bob on Bob’s computer” over and over again. Even in the event that a hacker makes their way into Bob’s device, Keystrike’s design lets only the physical carrier of the device he’s typing on make privileged commands, rendering sneaky “man in the browser”-style attacks moot. Should a hacker try to do what they think they do best, Keystrike technology ensures they remain trapped, unable to seize more power, with no choice but to flee their attempt.
But something even more interesting also happens! Bob’s banking process becomes seamless—and, most importantly, convenient. Bob logs into his account and initiates the transfer with zero obstacles, the bank confident that the money was moved by nobody but Bob himself. Rather than disrupting Bob’s busy day with a degrading and long-winded authentication process, continuous authentication, as we imagine it, enables banks to be more empathetic towards their customer’s time—Bob has a life—while also delivering a much more streamlined experience. Gone are the frustrations of waiting for additional codes or rushing against the clock to chase a security mirage.
Keystrike’s continuous authentication technology can dramatically improve the banking experience by building unheard of convenience into mobile banking. Customers can enjoy a streamlined process without the frustrations of traditional authentication methods, while banks can confidently protect their customers’ funds and personal information.
Good. We’re a third of the way there! All aboard as we jump from banking to finance to see how Keystrike continuous authentication might prove itself even more effective.
2. Accountant no longer a single click away from bankrupting company
Business is too fast paced for paranoia about security to disrupt critical communication. In an ideal world, all communication efforts like email and direct messaging would be trustworthy, and therefore supportive of a productive workday. Still, the prevalence of spear phishing, impersonation, and other hacking techniques run rampant, posing a significant threat to organizational security—to the tune of 26 Billion dollars between 2016–2019 according to the FBI.
In particular, accountants—who bear the responsibility of scrutinizing financial transactions and ensuring their authenticity—feel the pressure that comes with protecting accounts from attacks. Paying a single hasty invoice, seemingly from the boss or a known supplier, can be wildly expensive. But with Keystrike’s continuous authentication technology, accountants could have the confidence of knowing that emails are genuinely typed by the intended sender, that the warning about that suspicious transaction is legitimate.
Accountants need an effective solution for mitigating the risk of falling victim to impersonation attacks, because traditional email security measures like email authentication protocols or sender verification don’t provide sufficient assurance in such cases.
Consider a scenario where Lisa, an accountant for a large, well-known firm, receives an email from the CEO regarding a suspicious transaction made by one of their biggest clients. In order to make the right decision regarding the account, Lisa needs to verify the authenticity of the email and ensure that it was indeed composed by the CEO and not an impersonator. Lisa has heard horror stories from other firms, and now with every email she receives, she has to ask herself, “Is this email the real thing?”
Enter Keystrike’s continuous authentication, offering a powerful solution to combat email impersonation and enhance email security. By assigning cryptographic signatures to each keystroke, Lisa knows that every email he receives has been authenticated by a legitimate attestation, a public key signature belonging to the CEO, providing undeniable proof of the email’s origin.
From Lisa’s perspective, this kind of technology would streamline the verification process and reduce the burden of manually investigating suspicious emails, saving him from the shame of succumbing to an imposter and the labor that goes into preempting them. Instead of relying solely on traditional email security measures, which are either tedious to use or can be circumvented by sophisticated attackers, Lisa and accountants like her can leverage the power of Keystrike continuous authentication to validate the integrity and authenticity of crucial emails.
Nice. Two-thirds of the way there. Now let’s combine convenience with effectiveness and see what capability looks like.
3. Did John, or did ChatGPT, author that text?
Last year, the ever-increasing proliferation of writing robots using generative AI gave the written word an unprecedented (and ridiculously hard) problem. From teaching, to journalism, to marketing blogs, when dealing with any form of the written word online, the world must now question both the authenticity and origin of what they are reading. Whenever you consume written content, you have to ask yourself, “Did John, Keystrike Staff Writer, actually write this? Or was it just ChatGPT?”
AI has blurred the line that gave authenticity and plagiarism clear distinction, giving birth to a new kind of perspective in which those in these fields must ask themselves: If the words are “accurate,” does it matter if a human wrote them? If the answer is no, great! The tech world is geared for you. But if the answer is yes, then you face the challenge of figuring out whether the human claiming authorship over those lovely (and suspiciously grammatically correct) sentences was actually the person who typed them key by key.
Nearly a year into ChatGPT’s unveiling, tech has failed to provide any kind of antidote to the monster it unleashed—to solving the question of proving authentic or inauthentic work. Our proposed solution? Easy. Students, go back to writing all essays longhand. Coders, embrace the quill and ink for your interviews! All hail snailmail!
Just kidding. Enter Keystrike’s continuous authentication technology.
We like to imagine a world in which readers, writers, professors, students, you name it, can demonstrate that a piece was physically typed on the keyboard, down to the character—a world in which our technology is configured to provide a detailed record of the creative course a piece of writing takes, outlined to a tee. Yes, you read that right. A detailed record of the creative course a piece of writing takes. You’ve probably already realized what we’re getting at, but we’ll say it anyway: Imagine a world in which you can authenticate authenticity.
And this technology doesn’t have to stop at only detecting GPT-born content or rampant plagiarism. By examining the timing, flow, and progression of the writing, we can move from assessing the originality of an essay to assessing the quality of that originality. Imagine Keystrike as a teaching tool, a collaboration tool, a way of looking back over a piece and measuring it against how other drafts have progressed or regressed.
In plain terms, what we’re imagining here is capability. The same continuous authentication tech that gives Bob convenient banking, that allowed Lisa to conduct safe finance, now also gives John proof of authenticity in the articles and marketing pieces he reads. A capable, multifaceted solution to authentication and authenticity.
Imagining a world with Keystrike authentication technology
We want to revolutionize the authentication landscape by providing convenience, effectiveness, and capability. And by keeping these three outcomes as our barometer, we intend to offer users and service providers with improved experiences, decreased fear, and a potent antidote to unforeseen events in authentication. As we reimagine authentication, we wish to develop solutions that bridge the gap between security and user experience. Let’s envision a future where authentication is seamlessly integrated, enabling a safer and more efficient digital world.