Continuous authentication is a means of granting users access to online services based on acceptable levels of risk or contextual information. Continuous authentication is passive while traditional authentication is considered active, with the user in each instance required to provide an authentication factor (e.g., knowledge, possession, or biometric) in order to gain access. Continuous authentication uses information such as browser metadata, user location, passive liveness detection, and the time of day to arrive at an authentication score.
During an online session the authentication score’s value for granting or denying access matched to the service provider’s risk models for that action. For example, simply viewing account details may always be granted while the risk score is in the confident range, because the enterprise may consider that viewing the information (even by an imposter) is benign. A financial transaction during the session would result in the user being prompted to actively provide an authentication factor for the payment authorization.
“My bank implemented something called “continuous authentication.” Now whenever I log into my work computer, apparently it knows if I’m on the corporate network and automatically logs me out if I leave the office.”