The future of authentication is continuous, contextual, and variable.
Authentication will happen constantly instead of just once when you start your session
You’ll be challenged based on what you’re doing, and what you’ve been doing
Challenges will vary in strength based on how long it’s been since you’ve authenticated, and/or what type of action you are trying to perform
And there will be MANY authentication options available—some of which are silent and passive and invisible to the user, and some of which are multi-factor and heavy.
Authentication strength options
Options for authentication will include things like:
- Taking a snapshot of browser identification markers, and submitting silently on the wire (like marketers use to track users). If the fingerprint changes, prompt a higher tier auth event.
- Check that the locally installed bio-behavior app matches still, and if it doesn’t, prompt a higher-tier auth event, e.g. keyboard typing signature, facial recognition, etc.
- Two-factor with token
- Two-factor with mobile device/app
- Two-factor with text
Sensitive events might map to the OWASP AppSensor project, and then be labeled with a tier (1-5) and then have an auth strength associated with them (also 1-5).
[ NOTE: 1 is lowest, and 5 is highest. ]
The logic might look something like this:
If you have an active session, and it’s been more than 15 minutes, authenticate with a type 1 challenge (transparent bio check and pass-through).
If you are within that 15 minute window and you try to do a type 3 activity, prompt the user with a type 3 challenge (username/password).
If you attempt to change account details, you must authenticate with a type 5 challenge regardless (7 factor bio-temporal-tesseract).
If you’ve done 3 passive auths in a row, make the next one one level higher (requiring user interaction).
So authentication will never really stop. It will happen in the beginning, but then instead of just going away it’ll fade into the background.
Watching. Adjusting. Adapting to behavior and conditions and context, and prompting with the right challenge level according to what action is being performed.