Securing the Digital World

Continuous Identity Assurance Allows You To Step Away

May 23, 2016 | by Kayvan Alikhani |

Have you ever wondered how do applications know if "its still you" 10 minutes after you log in to the app?

Suppose you have to join a conference call, leave for a meeting, or take a bio break. As far as the app is concerned, since you haven't performed any activity for a given period of time, most (well-written) applications will 'kick you out'. So when you decide to use the app again (back from that bio-break), you'll be prompted with the login screen. You'll probably see a message informing you that "your session has timed out", and that you'll need to log back in.

Let's assume the app logs you out after an hour of inactivity. The amount of time is important, here's why: If the app terminates access out too slowly (say in an hour, or in a day), it's not secure enough. Why? Because anyone with physical access can see confidential info that is presented by the app, and they can access the app as if they were you. For example, assume an important purchase order requires your approval. Someone can initiate the request for approval, wait for you to go to the bathroom, then go to your device and make an unauthorized approval of the order.

If the app kicks you out too quickly (say in 10 minutes), its inconvenient - you'll need to log in after every 10 minutes of inactivity, something that's entirely plausible in the course of normal behavior, and something which will quickly become a major inconvenience. Also, increasing the number of times you have to enter your credentials actually increases the chance of your credentials being compromised. Nobody wants this, everyone hates this.

So how can we solve this problem?

Consider this solution: What if we could determine the distance between you and your device, and if/when that distance grows beyond, say 10 feet, all sensitive apps automatically log you off, or better yet, your device goes into a locked state.

When you re-emerge, the apps are notified, and you're seamlessly back in.

Or, what if we could use the proximity of where you currently are (at the bathroom), to determine that you can't be at your desk, at the exact same time, and therefore you'll be asked to re-authenticate (more strongly) to do anything in the application in the face of this extremely suspicious behavior.

At RSA, we've been looking at how we can provide higher levels of confidence as to the claimed identity of a user, without burdening the user with more login prompts. How can we continuously digest information about events occurring in a user's environment to reduce the friction associated with authentication, while increasing the assurance and confidence level that they are in fact who they claim to be? We call this Continuous Identity Assurance.

This paper describes a set of techniques that can be used for continuous authentication of users, using contextual information such as "what you have", "what you are", or "where you are" to drive effective authentication decisions. An example of a device with the ability to continuously collect and combine multiple sources of contextual information shows the potential of continuous authentication solutions to deliver greatly enhanced security and convenience without having to trade-off between these two often competing priorities.

Speaking more broadly, having continuous access to contextual information within your environment not only can help make your authentication experience seamless, but also increases the certainty that users are in fact who they claim to be. Information such as passing through the physical entry and access points of your work facility, transponders that determine you're close to a specific room within the office, presence of other "familiar" devices you use, or by users or devices around you (wireless access points, printers, Bluetooth devices, RFID tags, etc.) can all be leveraged to make informed assurance decisions in context.

The good news is that most of the infrastructure and technology necessary to make this happen already exists today. In other words: It's possible to provide continuous, frictionless, identity assurance, that lets you go to the bathroom as often as you need to, all the while, behind the scenes, making sure you're who you say you are.