Continuous Authentication Monitoring

Perhaps an unfamiliar term for some best described as a security system that verifies user identity not just at login, but throughout their session. Following login authentication, it continuously monitors user behavior and device status and location to detect anomalies and takes appropriate action when they arise. This approach contrasts with traditional authentication, that typically checks user credentials only once following which the session is set adrift. It also contrasts with Continuous Session Monitoring technology that typically does not include inputs from the authenticating agent or agency and thus has no direct awareness of the active user’s identity.

In consideration of information provided below:

Combining continuous session monitoring with a service like AffirmedID's continuous authentication monitoring provides a powerful approach for a relying party’s session security:

• Complementary Strengths: Continuous session monitoring excels at detecting anomalies in user and device behavior within a session's environment. In contrast, continuous authentication, especially a strong solution like AffirmedID, focuses on validating the user's identity prior to and throughout that session journey.
• Defense in Depth: This combination creates a layered security approach. Even if an attacker were to somehow bypass the initial authentication or mimic user behavior (which is harder with continuous authentication), anomalies in their session activity could still be detected by the continuous session monitoring.
• Mitigating Advanced Threats: While AI-driven attacks can potentially defeat session monitoring alone. Continuous authentication adds a critical layer of identity validation, making it significantly more difficult for attackers to spoof their way through a session.
• Enhanced Trust and Security: For the relying party, this combination provides a higher level of assurance that the user accessing their resources is the legitimate, authenticated user, reducing the risk of fraud, account takeover, and other security breaches. Before and throughout the session.

In essence, continuous session monitoring and strong continuous authentication work together to address different aspects of session security:

• Continuous Session Monitoring: "What" is happening in the session.
• AffirmedID's Continuous Authentication: "Who" is conducting the session.

By combining these, a relying party gains more comprehensive visibility and control, leading to a more secure and trustworthy environment.

Justifying continuous monitoring and its ROI potential:

• The need: Every successful authentication ceremony begins a session yet seldom does that session receive the same level of security attention as did authentication. Historically, the session receives implicit trust. Where attention is given, it typically does so without knowledge of user status throughout the session. So, while the unmonitored session is easily hijacked, the monitored session absent knowledge of user status can be easily compromised by the motivated attacker as well.

• In an ever changing security landscape there are reasons to be especially sensitive to session security. Not only do emerging standards call for it, for example ZTA, but also attention should be given to the sharp increase in session hijackings circumventing MFA authentication and a recent session hijacking incident did so and netted the attackers $1.5B, as in Billion, loss.

The types and benefits of session monitoring:

• The goal of Continuous session monitoring is the ongoing process of tracking user and device activity throughout an active session, following initial authentication. This is done to detect anomalies, and enforce security policies and to a lesser extent, to verify identity. Its purpose is to detect, report, and mitigate post-authentication risks such as session hijacking, account takeover, and unauthorized access. This form of monitoring is performed in the session application environment, for example the laptop or tablet, where identity verification is limited to user activities.

• Risk of identity spoofing: An agent operating within the application's environment provides identity monitoring services. It relies on recognizing user identity by monitoring their behaviors, in other words typing speed, mouse movements and click patterns, scrolling behaviors, and application usage. Spoofing behaviors such as these is not difficult for the dedicated attacker, especially should they be using AI assistance.



• The goal of Continuous authentication monitoring (CAF) is the ongoing verification of a user's identity throughout a session, after initial authentication, by analyzing contextual and behavioral factors. Its purpose is to ensure the authenticated user remains the person accessing the session and to detect, report, and mitigate account compromise, unauthorized access, or session hijacking. This form of monitoring is carried out jointly by the authenticator and cloud service.